javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed

Question

I want to implement pinning of the certificates, but I am stucked at SSLPeerUnverifiedException. I tried to implement functionality, that by default I will trust all the certs.

Here is my code.

CertificatePinner certificatePinner = new CertificatePinner.Builder()
            .add("*.percolate.com", "sha256/gd0jw5Y5beTzcXkn1mrr9b+Dri2kx2IIkML8vU5Xz04=")
            .build();
    OkHttpClient.Builder client = new OkHttpClient.Builder().certificatePinner(certificatePinner);

    try {
        final X509TrustManager x509TrustManager = new X509TrustManager() {
            @Override
            public void checkClientTrusted(X509Certificate[] chain, String authType) {
            }

            @Override
            public void checkServerTrusted(X509Certificate[] chain, String authType) {
            }

            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[]{};
            }
        };
        final TrustManager[] trustAllCerts = new TrustManager[]{
                x509TrustManager
        };

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustAllCerts, new SecureRandom());

        client.sslSocketFactory(sslContext.getSocketFactory(), x509TrustManager)
                .hostnameVerifier(new HostnameVerifier() {
                    @Override
                    public boolean verify(String hostname, SSLSession session) {
                        return true;
                    }
                });
    } catch (GeneralSecurityException e) {
        e.printStackTrace();
    }
    Request request = new Request.Builder()
            .url("https://mobile-versions-api.percolate.com/api/config/")
            .build();
    final Response execute = client.build().newCall(request).execute();

UPDATE:

After adding property I got detailed output, but I am still lost.

Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1507279555 bytes = { 153, 103, 215, 204, 115, 131, 8, 22, 109, 104, 37, 131, 131, 233, 138, 34, 63, 28, 3, 30, 54, 35, 251, 254, 95, 241, 185, 4 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=mobile-versions-api.percolate.com]
Extension renegotiation_info, renegotiated_connection: <empty>
***
main, WRITE: TLSv1.2 Handshake, length = 210
main, READ: TLSv1.2 Handshake, length = 87
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1507279555 bytes = { 19, 115, 138, 146, 56, 170, 146, 79, 4, 147, 249, 113, 32, 58, 32, 201, 238, 96, 87, 184, 97, 78, 1, 239, 107, 38, 172, 122 }
Session ID:  {104, 44, 102, 109, 174, 183, 14, 5, 250, 56, 32, 54, 108, 122, 65, 133, 124, 209, 100, 56, 243, 86, 193, 102, 120, 103, 242, 36, 219, 90, 240, 180}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 1864
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
  public exponent: 65537
  Validity: [From: Wed Feb 28 01:00:00 CET 2018,
               To: Fri Jun 26 14:00:00 CEST 2020]
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  SerialNumber: [    098195a7 788de187 8021110d 87683a26]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3   01 E1 00 76 00 A4 B9 09  ...........v....
0010: 90 B4 18 58 14 87 BB 13   A2 CC 67 70 0A 3C 35 98  ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD   0E C8 0D DC 10 00 00 01  ......w.........
0030: 61 DD A5 C5 64 00 00 04   03 00 47 30 45 02 21 00  a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1   7E 1D 52 42 CF B9 F0 AA  ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A   64 A1 03 4A 59 9F 4A 5F  ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A   C8 F8 CF C3 A9 0D 3D 54  . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A   E2 EB CC 3B 5F 8D FA BA  .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF   E7 59 7C F8 8C 43 99 5F  ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56   36 FF 4A B5 60 C1 B4 EA  ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01   61 DD A5 C6 27 00 00 04  .^......a...'...
00B0: 03 00 48 30 46 02 21 00   B3 E6 9F 85 4F AA 24 4F  ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7   29 04 4F 85 C3 B4 17 55  .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F   02 21 00 C8 07 C9 1C A0  .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6   5F 95 A3 CA 85 BD D3 94  <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5   BD AF AB 00 76 00 EE 4B  .....\......v..K
0100: BD B7 75 CE 60 BA E1 42   69 1F AB E1 9E 66 A3 0F  ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4   7B 89 7A A8 FD CB 00 00  ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00   04 03 00 47 30 45 02 21  .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A   36 BD 2E 67 5F 14 82 47  ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5   01 D4 77 2F 67 5A 39 81  .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6   DF 92 36 B4 96 2F C6 CB  .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE   08 E2 B1 97 3A AF FF 19  ............:...
0170: 69 DD AC 00 76 00 BB D9   DF BC 1F 8A 71 B5 93 94  i...v.......q...
0180: 23 97 AA 92 7B 47 38 57   95 0A AB 52 E8 1A 90 96  #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00   01 61 DD A5 C6 4E 00 00  d6.......a...N..
01A0: 04 03 00 47 30 45 02 20   50 32 03 EB 43 F7 C2 E6  ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2   77 8F 0D F9 CB EF 39 FA  s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49   02 21 00 8C B5 02 C6 BF  .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D   4B 9A 5A 9E 9D B2 FE B7  ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41   19 14 BE                 .k....6A...


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
0010: E1 C6 D9 E2                                        ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.percolate.com
  DNSName: percolate.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38   A9 15 FF 3F A3 74 EA 6C  .dI..A.8...?.t.l
0010: E0 09 51 A0                                        ..Q.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 3D B8 D5 01 DB A2 56 90   DA F0 09 69 74 9C 4D 8A  =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD   8F DE 47 DD B0 A4 07 A4  &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC   D5 2F 3C 0B 97 BE DC 65  .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56   1E 25 E5 A3 8C CA 0C 0D  w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21   51 59 DD 9D 05 B1 1A 2B  ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC   27 FD F1 8B B0 C6 72 82  .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3   AF EB 0F 6A 96 28 54 45  .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5   66 AE 04 12 FE 52 D1 0A  ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1   36 9A 3F 33 23 A0 7B 79  ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0   C0 13 80 65 D2 F2 1E 7C  ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A   7C 7C 8D C5 ED 66 2A CE  .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7   B7 3E 45 C0 27 81 07 A0  g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18   3F 6A 76 BC 96 BA B0 67  #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5   26 B4 BF F8 55 75 4D 97  y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8   B9 3E AA DA A9 16 8C A8  jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB   EA F7 CE 0D A9 61 3E 9A  .k.y.........a>.

]
***
main, READ: TLSv1.2 Handshake, length = 333
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 81286215691392024658297626500297003509559688137291949974573125267328187893559
  public y coord: 55957327417096262980937642227003113979964272470252997235257545314551630655731
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
main, READ: TLSv1.2 Handshake, length = 4
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 4, 89, 122, 32, 60, 110, 18, 176, 255, 160, 167, 60, 155, 112, 111, 52, 3, 74, 175, 208, 231, 82, 101, 50, 141, 93, 92, 183, 11, 6, 79, 64, 220, 247, 148, 253, 83, 153, 17, 129, 230, 23, 6, 135, 189, 39, 137, 177, 31, 124, 83, 214, 219, 71, 198, 68, 75, 160, 37, 154, 122, 236, 242, 13 }
main, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 1C 25 8A 21 86 10 8A A8   62 35 71 D7 A7 19 28 14  .%.!....b5q...(.
0010: 6E FE 19 6A CB F5 14 D3   45 D5 D6 DC E6 83 A4 E3  n..j....E.......
CONNECTION KEYGEN:
Client Nonce:
0000: 5A D7 43 C3 99 67 D7 CC   73 83 08 16 6D 68 25 83  Z.C..g..s...mh%.
0010: 83 E9 8A 22 3F 1C 03 1E   36 23 FB FE 5F F1 B9 04  ..."?...6#.._...
Server Nonce:
0000: 5A D7 43 C3 13 73 8A 92   38 AA 92 4F 04 93 F9 71  Z.C..s..8..O...q
0010: 20 3A 20 C9 EE 60 57 B8   61 4E 01 EF 6B 26 AC 7A   : ..`W.aN..k&.z
Master Secret:
0000: 7C 56 5C D8 4D 51 65 AA   6C 27 91 3C 47 B0 0F B2  .V\.MQe.l'.<G...
0010: 8A 56 CB 20 3C C9 F3 17   4D 4B DE 34 14 7F F5 13  .V. <...MK.4....
0020: C6 35 E3 E8 DC 2D DC B0   92 6A F7 AD 81 62 17 7A  .5...-...j...b.z
... no MAC keys used for this cipher
Client write key:
0000: 27 BA 3B 19 78 1C FA 94   D2 D6 93 59 02 FF 23 96  '.;.x......Y..#.
Server write key:
0000: 10 DD 0C FB 4C F2 7D 4C   F5 4C E7 99 AD C6 50 6D  ....L..L.L....Pm
Client write IV:
0000: 01 E8 75 75                                        ..uu
Server write IV:
0000: C7 A8 87 AD                                        ....
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 247, 75, 23, 155, 57, 223, 125, 250, 51, 193, 142, 238 }
***
main, WRITE: TLSv1.2 Handshake, length = 40
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 40
*** Finished
verify_data:  { 248, 22, 39, 116, 98, 207, 124, 72, 147, 152, 215, 71 }
***
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed [
[
  Version: V3
  Subject: CN=*.percolate.com, OU=Ops, O="Percolate Industries, Inc.", L=New York, ST=New York, C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 27401232310841133798229367871778264888123281636579263087556493451455060403259520645144584781313630991090105503198253906558563466329078722164170243267435739582081442222282097054777661956394083571911323130008480518688103543574372442709650254253434253066390644674176409954924769117481644772680166177303275929599129288661414733297270603535292347906522589286324172574835433083241554969591753284712463949161543930921995788372612260539349349380608375726629159393031898512729904510137397763415534963786907974673280474817121866827512205197365492992497240546530049440471928541689855437508889763971224310008127580760255679638381
  public exponent: 65537
  Validity: [From: Wed Feb 28 01:00:00 CET 2018,
               To: Fri Jun 26 14:00:00 CEST 2020]
  Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US
  SerialNumber: [    098195a7 788de187 8021110d 87683a26]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 82 01 E7 04 82 01 E3   01 E1 00 76 00 A4 B9 09  ...........v....
0010: 90 B4 18 58 14 87 BB 13   A2 CC 67 70 0A 3C 35 98  ...X......gp.<5.
0020: 04 F9 1B DF B8 E3 77 CD   0E C8 0D DC 10 00 00 01  ......w.........
0030: 61 DD A5 C5 64 00 00 04   03 00 47 30 45 02 21 00  a...d.....G0E.!.
0040: EF A8 D2 77 82 20 E8 F1   7E 1D 52 42 CF B9 F0 AA  ...w. ....RB....
0050: 22 E7 70 B0 86 91 90 5A   64 A1 03 4A 59 9F 4A 5F  ".p....Zd..JY.J_
0060: 02 20 3A 49 C7 56 ED 7A   C8 F8 CF C3 A9 0D 3D 54  . :I.V.z......=T
0070: 7E 29 F7 CB 62 7B 5E 9A   E2 EB CC 3B 5F 8D FA BA  .)..b.^....;_...
0080: 3B FB 00 77 00 87 75 BF   E7 59 7C F8 8C 43 99 5F  ;..w..u..Y...C._
0090: BD F3 6E FF 56 8D 47 56   36 FF 4A B5 60 C1 B4 EA  ..n.V.GV6.J.`...
00A0: FF 5E A0 83 0F 00 00 01   61 DD A5 C6 27 00 00 04  .^......a...'...
00B0: 03 00 48 30 46 02 21 00   B3 E6 9F 85 4F AA 24 4F  ..H0F.!.....O.$O
00C0: A1 45 34 56 6C 90 D8 A7   29 04 4F 85 C3 B4 17 55  .E4Vl...).O....U
00D0: 1C B0 D8 AB E7 58 4F 7F   02 21 00 C8 07 C9 1C A0  .....XO..!......
00E0: 3C C4 77 21 2F E3 F0 A6   5F 95 A3 CA 85 BD D3 94  <.w!/..._.......
00F0: FF C0 B1 ED 0C 5C 8D C5   BD AF AB 00 76 00 EE 4B  .....\......v..K
0100: BD B7 75 CE 60 BA E1 42   69 1F AB E1 9E 66 A3 0F  ..u.`..Bi....f..
0110: 7E 5F B0 72 D8 83 00 C4   7B 89 7A A8 FD CB 00 00  ._.r......z.....
0120: 01 61 DD A5 C7 B8 00 00   04 03 00 47 30 45 02 21  .a.........G0E.!
0130: 00 9A 4A CE FD 4B 77 3A   36 BD 2E 67 5F 14 82 47  ..J..Kw:6..g_..G
0140: 11 30 C8 CB 68 E4 84 B5   01 D4 77 2F 67 5A 39 81  .0..h.....w/gZ9.
0150: 1A 02 20 78 57 38 5C F6   DF 92 36 B4 96 2F C6 CB  .. xW8\...6../..
0160: 83 1E 96 9D 87 C0 B9 DE   08 E2 B1 97 3A AF FF 19  ............:...
0170: 69 DD AC 00 76 00 BB D9   DF BC 1F 8A 71 B5 93 94  i...v.......q...
0180: 23 97 AA 92 7B 47 38 57   95 0A AB 52 E8 1A 90 96  #....G8W...R....
0190: 64 36 8E 1E D1 85 00 00   01 61 DD A5 C6 4E 00 00  d6.......a...N..
01A0: 04 03 00 47 30 45 02 20   50 32 03 EB 43 F7 C2 E6  ...G0E. P2..C...
01B0: 73 08 4B 40 C3 1E 92 C2   77 8F 0D F9 CB EF 39 FA  s.K@....w.....9.
01C0: 93 D0 92 DA DE 30 7E 49   02 21 00 8C B5 02 C6 BF  .....0.I.!......
01D0: F4 86 00 27 4C 94 87 3D   4B 9A 5A 9E 9D B2 FE B7  ...'L..=K.Z.....
01E0: AC 6B FC 9B A9 D6 36 41   19 14 BE                 .k....6A...


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.digicert.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 0F 80 61 1C 82 31 61 D5   2F 28 E7 8D 46 38 B4 2C  ..a..1a./(..F8.,
0010: E1 C6 D9 E2                                        ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/ssca-sha2-g6.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/ssca-sha2-g6.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: *.percolate.com
  DNSName: percolate.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 95 64 49 16 AF 41 B0 38   A9 15 FF 3F A3 74 EA 6C  .dI..A.8...?.t.l
0010: E0 09 51 A0                                        ..Q.
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 3D B8 D5 01 DB A2 56 90   DA F0 09 69 74 9C 4D 8A  =.....V....it.M.
0010: 26 06 AE F0 90 F9 5E DD   8F DE 47 DD B0 A4 07 A4  &.....^...G.....
0020: 12 2B 42 CA 0B 76 16 FC   D5 2F 3C 0B 97 BE DC 65  .+B..v.../<....e
0030: 77 F3 D1 77 F8 69 43 56   1E 25 E5 A3 8C CA 0C 0D  w..w.iCV.%......
0040: CA E3 34 78 AB 2C 18 21   51 59 DD 9D 05 B1 1A 2B  ..4x.,.!QY.....+
0050: 1E 42 68 C2 31 FC 05 EC   27 FD F1 8B B0 C6 72 82  .Bh.1...'.....r.
0060: 98 49 1D C5 09 2B DB A3   AF EB 0F 6A 96 28 54 45  .I...+.....j.(TE
0070: 15 C5 AC 7F 43 4F AC F5   66 AE 04 12 FE 52 D1 0A  ....CO..f....R..
0080: E9 F8 82 3A AF 03 EF F1   36 9A 3F 33 23 A0 7B 79  ...:....6.?3#..y
0090: DD A7 0F 24 F5 0E 9B B0   C0 13 80 65 D2 F2 1E 7C  ...$.......e....
00A0: 94 75 9D 87 44 F1 D5 0A   7C 7C 8D C5 ED 66 2A CE  .u..D........f*.
00B0: 67 5E 0B F3 C5 C7 3D E7   B7 3E 45 C0 27 81 07 A0  g^....=..>E.'...
00C0: 23 76 FE 99 22 E6 E7 18   3F 6A 76 BC 96 BA B0 67  #v.."...?jv....g
00D0: 79 B4 2D 18 76 26 10 D5   26 B4 BF F8 55 75 4D 97  y.-.v&..&...UuM.
00E0: 6A 48 C9 22 08 27 27 A8   B9 3E AA DA A9 16 8C A8  jH.".''..>......
00F0: 04 6B 0E 79 C5 10 EF CB   EA F7 CE 0D A9 61 3E 9A  .k.y.........a>.

]
    at okhttp3.internal.tls.CertificateChainCleaner$BasicCertificateChainCleaner.clean(CertificateChainCleaner.java:132)
    at okhttp3.CertificatePinner.check(CertificatePinner.java:149)
    at okhttp3.internal.io.RealConnection.connectTls(RealConnection.java:252)
    at okhttp3.internal.io.RealConnection.establishProtocol(RealConnection.java:196)
    at okhttp3.internal.io.RealConnection.buildConnection(RealConnection.java:171)
    at okhttp3.internal.io.RealConnection.connect(RealConnection.java:111)
    at okhttp3.internal.http.StreamAllocation.findConnection(StreamAllocation.java:187)
    at okhttp3.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:123)
    at okhttp3.internal.http.StreamAllocation.newStream(StreamAllocation.java:93)
    at okhttp3.internal.http.HttpEngine.connect(HttpEngine.java:296)
    at okhttp3.internal.http.HttpEngine.sendRequest(HttpEngine.java:248)
    at okhttp3.RealCall.getResponse(RealCall.java:243)
    at okhttp3.RealCall$ApplicationInterceptorChain.proceed(RealCall.java:201)
    at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:163)
    at okhttp3.RealCall.execute(RealCall.java:57)
    at com.percoalte.sdk.python.bridge.PercolateSdkPythonBridge.main(PercolateSdkPythonBridge.java:96)
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT:  warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 26
main, called closeSocket(true)

Not sure why this exception is shown. Any idea why this could happening?

Answer 1

Not a definite answer, but too much for comments.

Off the bat, it's not SNI as I guessed.

Your trace shows the TLS handshake (in JSSE) completing successfully (and with SNI). The received cert chain is not really valid, because it has only the server cert which is issued by DigiCert SHA2 Secure Server CA which is an intermediate CA not a root and the intermediate aka chain cert is not provided, but your use of the accept-anything TrustManager causes JSSE not to notice this.

Then the SSLPeerUnverifiedException occurs in CertificatePinner. The only source I can find is at https://github.com/square/okhttp/tree/master/okhttp/src/main/java/okhttp3 and while it has that exception message in .internal.tls.BasicCertificateChainCleaner.clean it has that class separate not nested in CertificateChainCleaner. Moreover it can only be called from CertificatePinner.check at a line different from yours, and using an instance variable which should not have been set by the Builder invocation you use -- although there is a method that could in effect set that instance variable at some later unknown time with some unknown value.

The comments -- if they don't significantly differ for whatever version you are actually using -- suggest that this method should be invoked with a valid or validatable chain, and the code appears to require it. The javadoc comment on the abstract class CertificateChainCleaner says

/**
 * Computes the effective certificate chain from the raw array returned by Java's built in TLS APIs.
 * Cleaning a chain returns a list of certificates where the first element is {@code chain[0]}, each
 * certificate is signed by the certificate that follows, and the last certificate is a trusted CA
 * certificate.
 *
 * <p>Use of the chain cleaner is necessary to omit unexpected certificates that aren't relevant to
 * the TLS handshake and to extract the trusted CA certificate for the benefit of certificate
 * pinning.
 */

and the implementation class BasicChainCertificateCleaner says

/**
 * A certificate chain cleaner that uses a set of trusted root certificates to build the trusted
 * chain. This class duplicates the clean chain building performed during the TLS handshake. We
 * prefer other mechanisms where they exist, such as with
 * {@code okhttp3.internal.platform.AndroidPlatform.AndroidCertificateChainCleaner}.
 *
 * <p>This class includes code from <a href="https://conscrypt.org/">Conscrypt's</a> {@code
 * TrustManagerImpl} and {@code TrustedCertificateIndex}.
 */

and its clean method says

  * <p>This method throws if the complete chain to a trusted CA certificate cannot be constructed.
   * This is unexpected unless the trust root index in this class has a different trust manager than
   * what was used to establish {@code chain}.

which together strongly suggest to me this is intended to work with the normal (PKIX chain) validation done by the normal TrustManager. The chain 'finishing' done here resembles that done by Java's normal PKIX or X.509 validator, but simplified. This is further supported by part of the javadoc comment for the toplevel CertificatePinner class:

 * <h4>Note about self-signed certificates</h4>
 *
 * <p>{@link CertificatePinner} can not be used to pin self-signed certificate if such certificate
 * is not accepted by {@link javax.net.ssl.TrustManager}.

Thus I suggest you restire the normal TrustManager, but since it won't accept the 'chain' this server is currently sending you need to either:

• fix the server to obey RFC5246 and send the appropriate Digicert intermediate cert, or

• get the intermediate (from http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt per the AIA, but not with a browser that obeys the MIMEtype -- try curl wget or similar) and add it to the truststore JSSE uses, and if that is not the same as the truststore used by CertificatePinner you probably need to add it there also.