Android M App Link Verification fails

Question

I define my app links as follows in AndroidManifest.xml:

<intent-filter android:autoVerify="true">
    <action android:name="android.intent.action.VIEW"/>
    <category android:name="android.intent.category.BROWSABLE"/>
    <category android:name="android.intent.category.DEFAULT"/>

    <data android:host="mysite.com" android:scheme="http"/>
    <data android:host="mysite.com" android:scheme="https"/>
    <data android:host="www.mysite.com" android:scheme="http"/>
    <data android:host="www.mysite.com" android:scheme="https"/>
</intent-filter>

The app correctly detects URLs from the host correctly but prompts if the user would like to open them in the application or the browser because verification fails as seen in the Android monitor console:

01-17 15:44:28.847 7084-30015/? I/IntentFilterIntentSvc: Verifying IntentFilter. verificationId:2 scheme:"https" hosts:"mysite.com www.mysite.com" package:"com.site.myapp.android.flavor".
01-17 15:44:29.821 7084-30015/? I/IntentFilterIntentSvc: Verification 2 complete. Success:false. Failed hosts:mysite.com,www.mysite.com.

My assetlinks.json file is located at mysite.com/.well-known/assetlinks.json and contains the correct package name and SHA256 hash. It is also accessible via http and https. I have verified the SHA hash matches that from the keystore by extracting the CERT.RSA file from the APK and using keytool -printcert -file CERT.RSA

I have tried calling https://digitalassetlinks.googleapis.com/v1/statements:list?source.web.site=https://domain1:port&relation=delegate_permission/common.handle_all_urls as well as using the google site Statement List Tester and both return OK.

I am using a Nexus device running Android 7 for testing.

According to the documentation I have done everything required for app linking to work. Is there anything else that I can check?

My server is running IIS on Windows 7, I have already added application/json as a mimetype in the IIS and web.config files. Could it be failing because I am using a self-signed SSL certificate?

EDIT: SingleHostAsyncVerifier also logs the verification failing. (replaced mysite with example and SHA hash)

01-17 15:44:29.817 7084-30017/? I/SingleHostAsyncVerifier: Verification result: checking for a statement with source a <
a: "https://www.example.com"
>
, relation delegate_permission/common.handle_all_urls, and target b <
a: "com.mypackage.flavor"
b <
a: "(SHA256 hash)"
>
>
--> false.
01-17 15:44:29.820 7084-30016/? I/SingleHostAsyncVerifier: Verification result: checking for a statement with source a <
a: "https://example.com"
>
, relation delegate_permission/common.handle_all_urls, and target b <
a: "com.mypackage.flavor"
b <
a: "(SHA256 hash)"
>
>
--> false.

Answer 1

Although unmentioned in the app links documentation, app links require that the server have a valid SSL certificate from a public or trusted certificate authority. Self-signed certificates do not work.

After switching to a SSL certificate issued by https://www.thawte.com/ the app link verification completes successfully.