Starting in from Android Nougat, an application won't trust user added CAs by default (see android developers blog).
If a user uses an ISP's content filtering service or conent filtering service based on vpn (I for example use Netspark),
the content filtering service needs to be decrypted and reencrypted by the content filtering serive. for doing that the ISP/vpn server replaces the ssl certificate by an ssl certificate signed by himself. to make android trust the new certificate he asks the user to add it as a trusted CA by installing a .crt file.
But because starting from nougat an application won't trust user added CAs, wikipedia won't trust the new certificate, a "java.security.cert.CertPathValidatorException: Trust anchor for certification path not found" will be thrown and the user will see something like "Could not connect to internet".
The solution is to set network-security-config in AndroidManifest.xml to trust both user and system CAs as noted in the foregoing link to android developers blog.