192.168.0.14:56294: CONNECT android.googleapis.com:443
<< Cannot establish TLS with client (sni: android.googleapis.com): TlsException("SSL handshake error: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert certificate unknown')],)",)
Android 7.1 and higher do not longer allow the use of custom certificates manually added by the user but if you have a phone with super user access, you can make it work via ADB.
Android stores its system certificates in /system/etc/security/cacerts/
. If you take a look at your device, you will see that the certificates have hashed names, eg. "a1234b0d.0". To intercept app traffic, you need to find out the hash of your certificate.
You will find mitmproxy-ca-cert.pem
in this directory /home/{USER}/.mitmproxy
openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.pem | head -1
It will generate hash like this c8750f0d
Then rename your certificate accordingly
mv mitmproxy-ca-cert.pem <your_hash_value_in_here_without_carets>.0
And finally move it to where your device's system certificates are. For this, however, you need to remount the system directory first in order to get write access
adb shell su -c "mount -o rw,remount,rw /system"
adb push your_certificate /sdcard/your_certificate
adb shell su -c "mv /sdcard/your_certificate /system/etc/security/cacerts/your_certificate"
adb shell su -c "chmod 644 /system/etc/security/cacerts/your_certificate"
adb reboot
If that doesn't work, I can remember (not the source, though) reading about Android Nougat also not regarding certificates that expire in more than 2 years. The certificates created by mitmproxy should be fine. Burpsuite or Fiddler ones did not work for me though.