Installed 10032.86.0 (Official Build) stable-channel veyron_minnie and OpenVPN through Android is working just fine.  Sine it did a power wash I had to reinstall everything including the certs.

changmar@ please triage

> Cannot access the Android Keychain Certificates. This can be caused by a firmware upgrade or by restoring a backup of the app/app settings. Please edit the VPN and reselect the certificate under basic settings to recreate the permission to access the certi

This is R.string.keychain_access which may be printed as a result of an android.security.KeyChain error in the getKeyStoreCertificates() method:

https://github.com/schwabe/ics-openvpn/blob/68ecf387e4ec820850eba2e1661b43faf7ce6ea1/main/src/main/java/de/blinkt/openvpn/VpnProfile.java#L409
https://github.com/schwabe/ics-openvpn/blob/68ecf387e4ec820850eba2e1661b43faf7ce6ea1/main/src/main/java/de/blinkt/openvpn/VpnProfile.java#L886

The latter code path may also record the stack trace, either in the application log or in logcat.  Can we get a copy of that backtrace to see what is failing?

(The keychain code is outside my area of expertise so in parallel, we should cc: the appropriate engineers.)

Apologize, but I already had to reload my system since it was my primary unit and am unable to grab a stack trace...

Hi David/Maksim - do you have a point of contact for the Android keychain code on ARC++?

+Bartosz, +Edman: See comment 7.

There have been no recent changes in the keychain we can track this to, and it's hard to debug without a stacktrace.

Can you tell more about your setup? Is this a client certificate being installed in the system wide keystore by a 3rd app, which is then accessed by OpenVPN?

I used the basic setup for the OpenVPN client app.  I installed the certificate through the OpenVPN client app.

https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en

Next time I have a bug report I will get a stacktrace.  Should have done that...

bartfab@ any comment on comment 7?

We are using AOSP Keystore, Keychain and soft Keymaster. +swillden is the expert on these.

This bug reminds me of something Edman observed a few times in the past months: Sometimes, certs go missing in the lower levels of the stack, but the alias at the upper levels remains. So you can still enumerate the cert but any attempt to access it fails in weird ways.

A stack trace would be very helpful. It would also be useful to see if the key is still present in keystore's directories (/data/misc/keystore/...).

I can reproduce this bug reliably on caroline. It occurs with Android openvpn apps that import a cert into the Android keystore. Everything works fine after initially setting up a config and importing the cert. But after signing out and then signing back in, connection to the cert is lost, resulting in the error message described in comment 1. 

The apps affected include:

https://play.google.com/store/apps/details?id=de.blinkt.openvpn
https://play.google.com/store/apps/details?id=net.openvpn.openvpn

Note: Google support officially recommends the first of these apps for complex openvpn client configs:

https://support.google.com/chromebook/answer/1282338

I would be glad to help to debug but need some pointers on how to generate a stack trace for Android apps on ChromeOS.

This issue has an owner, a component and a priority, but is still listed as untriaged or unconfirmed. By definition, this bug is triaged. Changing status to "assigned". Please reach out to me if you disagree with how I've done this.