Check whether the appid is the same as the appid on AppGalleryConnect. Check your configuration carefully. In addition, check the certificate fingerprint. Ensure that the JSON file is stored in the project-level directory instead of the application-level directory, check the following items configuration process carefully.
1.Check whether the fingerprint certificate is correctly configured when you apply for related services.
Open the APK file of an app, extract the META-INF directory from the file, obtain the CERT.RSA file in the directory, and run the keytool -printcert -file META-INF/CERT.RSA command to print the signature certificate information.
2.HMS Core (APK) will cache the signature file. You need to find HMS Core (APK) on the Apps page of your device and clear its cache, restart your app, and perform the previous operation again.
3.Sign in to AppGallery Connect, click My apps. On the page that is displayed, go to Develop > Project settings > conventional, check whether SHA-256 certificate fingerprint is consistent with the fingerprint in step 1.
4.For third-party access, check the value of appid.
<meta-data android:name="com.huawei.hms.client.appid" android:value="Your appid"/>
or
<meta-data android:name="com.huawei.hms.client.appid" android:value="appid=Your appid"/>
Also you’re advised to upgrade the SDK.
Hope this could help with your issue. 
You get these errors, when the SSH host key fingerprint provided to SessionOptions.SshHostKeyFingerprint or TLS host certificate fingerprint provided to SessionOptions.TlsHostCertificateFingerprint have a wrong format.
(In PowerShell, when setting the properties via -Property switch of New-Object cmdlet, the error is disguised as “The value supplied is not valid, or the property is read-only. Change the value, and then try again.”)
Examples of the correct format of the fingerprints:
- Base64-encoded SHA-256 SSH host key fingerprint:
ssh-rsa 2048 2EPqmpSRaRtUIqwvm15rzavssrhHxJ3avJWh9mBaz8M= - Hex-encoded SHA-256 TLS host certificate fingerprint:
b0:ea:9e:a2:0b:90:58:72:4c:dc:bc:5d:83:0e:bf:02:ef:28:9d:b8:8e:26:bc:25:bd:36:4b:17:50:1b:c8:da
Easiest way to get the fingerprints in the correct format is to have WinSCP generate a code template in your preferred language for you. For other options, see also Where do I get SSH host key fingerprint to authorize the server?
Also make sure you use the same version (ideally the latest) of WinSCP both for obtaining the fingerprint in WinSCP GUI and using the fingerprint in WinSCP .NET assembly. Older versions do not support modern SHA-256 fingerprints. So the fingerprint formats may be incompatible (and less safe).
A common mistake is to substitute SessionOptions.TlsHostCertificateFingerprint with SessionOptions.SshHostKeyFingerprint (or vice versa). The SSH host key is used with SSH-based protocols SFTP and FTP. The TLS host certificate is used with SSL-based protocols FTPS and WebDAVS.
The four hash values you see are SPKI hashes. While the fingerprint you see when looking at the certificate is computed over the whole certificate the SPKI hash is only computed over the SubjectPublicKeyInfo, i.e. the public key contained in the certificate. See Mozilla:HPKP for more details including ways to compute the SPKI hash using common tools.
Apart from that these SPKI hashes do not necessarily specify the leaf certificate (i.e. the one you were looking at). Instead at least one of the SPKI hashes for a site should match one of the certificates in the certificate chain, i.e. from leaf up to and including the locally trusted root certificate. This matches the behavior of the HPKP header which is described in RFC 7469 as follows:
… compute the SPKI Fingerprints for each certificate in the Pinned Host’s validated certificate chain … check that the set of these SPKI
Fingerprints intersects the set of SPKI Fingerprints in that Pinned
Host’s Pinning Metadata
To manually do the checks one might export every certificate from the browser, compute the SPKI hash (see first link on how to do this) and then check if it is in the list of preloaded SPKI hashes. For the connection I get to www.google.com I get the following chain (note that I get a different leaf certificate):
[0] www.google.com
cert fingerprint: 27:4C:3B:05:9F:30:5C:C3:C7:EE:23:98:E5:33:21:EE:56:34:E0:40:96:09:1E:87:BE:F0:9D:AF:A7:44:39:12
SPKI hash: He1hxIXPpsnamgIS9IH1HC45P2yj45Py1fi0/JI6JBo=
[1] Google Internet Authority G3
cert fingerprint: BE:0C:CD:54:D4:CE:CD:A1:BD:5E:5D:9E:CC:85:A0:4C:2C:1F:93:A5:22:0D:77:FD:E8:8F:E9:AD:08:1F:64:1B
SPKI hash: f8NnEFZxQ4ExFOhSN7EiFWtiudZQVD2oY60uauV/n78=
[builtin] GlobalSign Root CA - R2
cert fingerprint: CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E
SPKI hash: iie1VXtL7HzAMF+/PVPR9xzT80kQxdZeJ+zduCB3uj0=
As you can see, the last SPKI hash from the builtin root CA intersects with the preloaded SPKI hashes which means that the validation was successful.
If you want to know what the other SPKI hashes are for you might have a look at the source code for Chromium where it shows the following definition for the PIN set used for the Google domains:
"name": "google",
"static_spki_hashes": [
"GoogleBackup2048",
"GoogleG2",
"GeoTrustGlobal",
"GlobalSignRootCA_R2"
],
The last item GlobalSignRootCA_R2 is the one found in the current chain.
- Remove From My Forums
-
Question
-
Hi all, I have made
a recovery of an Exchange 2010 Rollup 4.The server was installed features:
— Client Access
— Hub TransportEverything went fine, but when I went to
import the certificate again, I get the system
this error message:Can not import the certificate. There is already a
certified fingerprint <Fingerprint>.He tried to run the command in
Exchange Management Console:
Import-ExchangeCertificate—Server
‘<server_name>‘—FileData
‘<Binary data>’-Password
‘System.Security.SecureString‘—PrivateKeyExportable
$ truePS When I run from the command,
the output is:[PS] C: >
Get-ExchangeCertificate—Server
<server_name> | flAccessRules:
CertificateDomains: {<server_name>,
<server_name.xx.yy}
HasPrivateKey: True
IsSelfSigned: True
Issuer: CN = <server_name>
NotAfter: 12/23/2017 16:35:17
NotBefore: 10/09/2012 19:51:57
PublicKeySize: 2048
RootCAType: None
SerialNumber: <serial_number>
Services: IMAP, POP,
IIS, SMTP
Status: Valid
Subject: CN = <server_name>
Thumbprint: FingerprintDo you know how I can fix this?
THANK YOU ALL
Microsoft Certified IT Professional Server Administrator
Answers
-
Thank you very much for answering
Evan, I had done a few hours
ago but I did not work:[PS] C: >
Remove-ExchangeCertificate—Server
<server_name>—Thumbprint
<finger_print>confirm
Are you sure you want to do this?
Remove? <finger_print> Certificate
fingerprint of the certificate store of the
computer?
[S] Yes [O]
Yes to All [N] No [T]
No to All [?] Help
(default is «S«):
We found the certificate fingerprint
<fingerprint> but is not valid for use
co
n Exchange Server (reason:
PrivateKeyMissing).
+ CategoryInfo:
NotSpecified: (
[Remove-ExchangeCertificate],
InvalidOperationException
+ FullyQualifiedErrorId:
79A4D1AB, Microsoft.Exchange.Management.SystemConfigurationTasks.RemoveExchangeCertificat
andI started the server certificate manager,
and in the personal store, I found a certificate,
with the console removed
and finally certified amount with
the EMC.Thank you very much for answering
regards
Microsoft Certified IT Professional Server Administrator
-
Marked as answer by
Friday, September 21, 2012 9:15 AM
-
Marked as answer by
Hello,
Today, while I’m trying to update the app that was earlier published in January 2016, I’m getting the below mentioned error. Kindly request your help at the earliest to get this address. Below is the error message that I’m getting;
Upload failed
You uploaded an APK that is signed with a different certificate to your previous APKs. You must use the same certificate. Your existing APKs are signed with the certificate(s) with fingerprint(s):
[ SHA1: 3B:F0:E3:9C:92:16:5F:1F:5B:5D:5B:3A:0F:A3:C7:D4:29:67:AA:11 ]
and the certificate(s) used to sign the APK you uploaded have fingerprint(s):
[ SHA1: EF:F0:80:99:A1:AB:38:D2:CE:BC:60:32:48:11:AC:1A:AE:61:EB:E3 ]
Earlier, this app was published using a personal ID and that got the certificate migrated to official email ID: android.rxprism@gmail.com by sending a request email to: html5tools@intel.com. Currently when I try to import, it shows there is no legacy certificate as well.
This app is due to submission for an event and I’m not sure how to overcome this challenge. Can someone kindly help me on this please.
-
#1
proxmox-backup-client is refusing to connect to our PBS due to certificate mismatch:
WARNING: certificate fingerprint does not match expected fingerprint!
expected: 3f:41:a9:17:7c:49:10:4d:fc:85:3b:b4:8a:96:c3:2c:24:61:b1:22:4a:9c:63:86:7f:c9:18:54:71:41:c8:9e
certificate validation failed — Certificate fingerprint was not confirmed.
Error: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:../ssl/statem/statem_clnt.c:1913:
I am assuming this is because we are using LetsEncrypt and the certificate has been updated.
If I delete ~/.config/proxmox-backup/fingerprints I can connect again but have to interact with the process to approve the new thumbprint.
Is there an option/config to ignore certificate thumbprint?
Last edited: Oct 27, 2021
oguz
Proxmox Retired Staff
-
#2
hi,
if you’re running the backup client from PVE, also check your /etc/pve/storage.cfg file to make sure the fingerprint there matches as well.
I can connect again but have to interact with the process to approve the new thumbprint.
should only be one time.
Is there an option/config to ignore certificate thumbprint?
no… that would undermine the ability to verify the server’s authenticity and make you vulnerable to man in the middle attacks (for example a spoofed backup server taking your backups instead of the real one). EDIT: this is only true if the certificate is ignored completely (which isn’t possible).
for certificates trusted by the system store you can avoid fingerprint pinning if you just delete the fingerprints file you mentioned, afterwards it shouldn’t be necessary to reapprove the new fingerprint (provided the certificate is trusted by the client system)
Last edited: Oct 28, 2021