Overview
When you are using the M-Files mobile app for Android, you need to set up a vault connection. In some situations, you may get errors pointing to an SSL issue like the ones listed below. This article explains the most common issues, causes, and what to check.
A typical symptom is that the Android app cannot connect to a vault, but the web client works as expected.
A typical error is:
Please check your username, password and server address, and confirm that you have a valid license on the server.
Followed immediately by this error (note that it may be the only one that appears):
An SSL error has occurred, preventing the HTTPS connection from being established. Would you like M-Files to try HTTP instead?
Other common error messages you may see are
Chain Validation Failed
And when you open the details you may see something like
SSLHandshakeException
Chain Validation failed
CertificateException
Chain validation failed
And/or
CertificateExpiredException
Certificate expired at <date in the past> (compared to <current date>)
Details
Such issues are usually encountered in on-premises installations. If you have a vault in the M-Files cloud, you can also test connecting to it - if the connection succeeds, the issue likely lies with the SSL certificate in the local installation.
All these errors point to a problem in the SSL certificate resolution on that device. You need to ensure that:
- the server provides a correct and valid certificate,
- the device trusts that certificate,
- the device trusts the certificate authority that issued the certificate.
You can use online SSL diagnostic tools to check whether your certificate is fully compliant and properly installed, such as the following (note, these are third party services that M-Files does not guarantee or host):
Here is some more information on each of the most common error messages, and how to double check that things are configured correctly.
You may need to involve your local IT/Network administrators to resolve the certificate issues, and you can provide them with the relevant information from this article.
If you are having an issue with an M-Files Cloud vault, contact support@m-files.com .
Note that if you have installed a custom certificate for encrypting a gRPC connection, the same rules and issues apply to it - it is, essentially, a server certificate similar to the standard SSL certificate you install on your web server.
Chain validation failed
This error indicates that the device does not trust the certificate itself and/or the certificate authority that issued it. You need to ensure that the device trusts the certificate.
A very common reason for this issue is using self-signed certificates (for example, ones you can create yourself via IIS). When you test things locally, they are quite convenient, and you only need to accept the browser prompt that the connection is unsafe while testing with browsers. Mobile devices, however, do not ask for a human verification of the risk and deny the certificate trust immediately.
What you can do is:
- Use a certificate issued by a well-known authority.
- Note that you need to ensure that the device trusts the Root Certificate Authority that issued the certificate. You may need to double check the ones your devices trust. Usually, the list is available in a section similar to "Trusted credentials" under the "Security" settings.
- If you have a way, install any custom certificate to the devices. Note that whether/how this is possible depends entirely on the local infrastructure and is not supported by M-Files.
Certificate expired
Double check the dates reported in the dialog with the error message. Certificates have expiration dates which may sometimes be as short as a few weeks. A system that worked until last week or even until a couple of hours ago may still fail due to a certificate expiration.
You may also see a certificate expiration error when using self-signed certificates. In such cases it is usually accompanied by more errors.
The solution is to ensure you are using a valid certificate. You can usually check its expiration date on the web server computer, and also by accessing the vault URL with a web browser and examining the certificate details (see more in the next section).
Comparing with the web browser, checking the certificate details and that the device trusts the issuer
Web browsers show a lot of details about the certificate provided by the server, and you can use a browser to double check the information.
Note that if you use the browser on the Android device, there is a chance that it will not show certificate validation errors, even if the native M-Files app shows errors. The browser can use their own separate certificate store that may happen to trust the current certificate, while the main store on the device may not.
The steps below outline how you can check the certificate details. Note that your actual data can vary. If you see errors, review their details with your IT/Network department.
Open the web client and access the server. You don't need to log in, just click the padlock icon.
This will show you the popup with the certificate details where you can see information such as its domain, issuer and validity.
In the Certification Path tab you can also find the Root Certification Authority and follow through its certificate.
And this will let you ensure that your device trusts that authority. For example, the following screenshot is from an Android 12 device. You can also review the details to confirm you are looking at the same certificate - such as serial numbers and thumbprints.
