Clever Geek Handbook

Let Encrypt on Android give java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

Hi, set up a little feed generated free certificate. Let's encrypt and configure Nginx to use this certificate (fullchain.pem and privkey.pem).

However, when I try to call from my Android app (using OkHttp3) I get this error

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

Does the Android trust store allow you to encrypt a root certificate? Or am I missing something while configuring nginx? What is the job for this If I still want to use Let encrypt certificate?

+6


source to share


2 answers


I'm not sure if this is helpful, but the file /etc/letsencrypt/live/<your domain>/README

says:

This directory contains your keys and certificates.

privkey.pem

: the private key for your certificate.

fullchain.pem

: the certificate file used by most server programs.

chain.pem

: used for stitching OCSP in Nginx> = 1.3.7.

cert.pem

: break many server configurations and should not be used without additional documentation (see link below).

We recommend that you do not move these files. For more information, see the Certbot User Guide https://certbot.eff.org/docs/using.html#where-are-my-certificates .

So, maybe you should use chain.pem

?

On the other hand, for those who don't even use Nginx, I was getting the same error from Android because I mistakenly used chain.pem

instead fullchain.pem

. One solution for Android apps you need to send the whole certificate chain (ex:) fullchain.pem

as described here:



https://developer.android.com/training/articles/security-ssl.html#CommonHostnameProbs

There are two approaches to solving this problem:

  • Configure the server to include an intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers. This is the only approach if you need a site to work with the default Android browsers through at least Android 4.2.

  • Or, treat the intermediate CA like any other unknown CA and create a TrustManager to trust directly, as you did in the previous two sections.

Hope it helps.

+1


source


If you are using Apache, check your Apache version. For my case ... I am using Apache <2.4.8. In the user manual, encrypt let:

cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate... 
Apache < 2.4.8 needs these for SSLCertificateFile and SSLCertificateChainFile, respectively.

So for SSLCertificateFile use cert.pem; for SSLCertificateChainFile use chain.pem.



I originally used fullchain.pem for SSLCertificateFile only . this worked for most browsers and iOS. But Android complained about it with the above error.

By setting up the certificate and chain separately in Apache, all platforms work well.

0


source






More articles:


All Articles