Home » Android » Certificate is trusted by PC but not by Android

Certificate is trusted by PC but not by Android

Posted by: admin November 29, 2017 Leave a comment

Questions:

Since this morning, my certificate is not trusted anymore on Android and then my application cannot connect anymore:

 Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
 javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)

If I try in Google Chrome (on PC) there’s no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn’t trusted. What can I do?

Answers:

You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not – or even better – will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider):
http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate

I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA’s to work. Once done no errors occurred anymore.

Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

And here is a list of the most common installation guides by Commodo themselves:
https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

Depending on what webserver you are using, you’ll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order:

  1. domain certificate
  2. intermediate certificate
  3. root certificate

An easy way of doing this in an SSH terminal is by typing:

cat domainfile intermediatefile rootfile > targetfile

Certificate test tool

If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: https://www.networking4all.com/en/support/tools/site+check/

SNI support for android 2.2 and lower

Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNI for more information on this issue.

Questions:
Answers:

You have to create a crt bundle then it will be fine. You will be receiving three crt files. Use them all! If you only used the domain.crt then there will be warning on android but not on PC.

I am on nginx. I opened domain_name.crt and then opened positivesslca2.crt, select all and copy to the end of domain_name.crt. Then open AddTrustExternalCARoot.crt, copy to the end of domain_name.crt again. Then install the domain_name.crt

works good.

Questions:
Answers:

Adding this here as it might help someone. I was having problems with Android showing the popup and invalid certificate error.

We have a Comodo Extended Validation certificate and we received the zip file that contained 4 files:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSAExtendedValidationSecureServerCA.crt
  • www_mydomain_com.crt

I concatenated them together all on one line like so:

cat www_mydomain_com.crt COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >www.mydomain.com.ev-ssl-bundle.crt

Then I used that bundle file as my ssl_certificate_key in nginx. That’s it, works now.

Inspired by this gist: https://gist.github.com/ipedrazas/6d6c31144636d586dcc3

Questions:
Answers:

With Comodo PositiveSSL we have received 4 files.

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • our_domain.crt

When we followed the instructions on comodo site – we would get an error that our certificate was missing an intermediate certificate file.

Basically the syntax is

cat our_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  AddTrustExternalCARoot.crt > domain-ssl_bundle.crt

Questions:
Answers:

I’ve recently ren into this issue with Commodo cert I bought on ssls.com and I’ve had 3 files:

domain-name.ca-bundle domain-name.crt and domain-name.p7b

I’ve had to set it up on Nginx and this is the command I ran:

cat domain-name.ca-bundle domain-name.crt > commodo-ssl-bundle.crt

I then used commodo-ssl-bundle.crt inside the Nginx config file and works like a charm.

Questions:
Answers:

I had the same issue and my issue was the device not having the right date and time. Once I fixed that the certificate is being trusted.

Questions:
Answers:

I encountered this same issue under Apache 2.2 when I was trying to use multiple SSLCertificateChainFile directives for each intermediate cert; instead I needed to concatenate all three into a single file. Coming from GoDaddy where they’d done this for me as a “bundle” this extra step was new to me, but a re-reading of the Apache documentation made this apparent.

Worth noting, this directive is deprecated as of Apache 2.4.8 since you can now concatenate all the intermediates with the actual cert.

Questions:
Answers:

I hope i am not too late, this solution here worked for me, i am using COMODO SSL, the above solutions seem invalid over time, my website lifetanstic.co.ke

Instead of contacting Comodo Support and gain a CA bundle file You can do the following:

When You get your new SSL cert from Comodo (by mail) they have a zip file attached.
You need to unzip the zip-file and open the following files in a text editor like notepad:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Then copy the text of each “.crt” file and paste the texts above eachother in the “Certificate Authority Bundle (optional)” field.

After that just add the SSL cert as usual in the “Certificate” field and click at “Autofil by Certificate” button and hit “Install”.

Questions:
Answers:

With Godaddy certs you most likely will have a domain.key, gd_bundle_something.crt and (random alphanumeric string) 4923hg4k23jh4.crt

You’ll need to: cat gd_bundle_something.crt >> 4923hg4k23jh4.crt

And then, on nginx, you will use

ssl                  on;
ssl_certificate      /etc/ssl/certs/4923hg4k23jh4.crt;
ssl_certificate_key  /etc/ssl/certs/domain.key;

Questions:
Answers:

I had the same problem. Another way to generate the correct .crt file is like this:

Sometimes you get a .PEM file with an entire certificate chain inside. The file may look like this….

-----BEGIN RSA PRIVATE KEY-----
blablablabase64private...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT1...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT2...
-----END CERTIFICATE-----
...

If you remove the entire private key section, you will have a valid chained .crt

Questions:
Answers:

I had the same error because I didn’t issued a Let’s Encrypt cert for the www.my-domain.com, only for my-domain.com

Issuing also for the www. and configuring the vhost to load certificates for www.my-domain.com before redirecting to https://my-domain.com did the trick.

Questions:
Answers:

Make sure you also use your intermediate crt (.crt file with a bundle.. some providers also call it bundle or ca certificate).
then in your ssl.conf,

SSLCertificateFile </path/for/actual/certificate>

SSLCACertificateFile </path/for/actual/intermediate_certificate>

then restart your webserver :ex for apache use :

sudo service httpd restart

Questions:
Answers:

could be that you’re missing the certificate on your device.

try looking at this answer: How to install trusted CA certificate on Android device? to see how to install the CA on your own device.

Questions:
Answers:

I had a similar problem and wrote a detailed article about it. If anyone has the same problem, feel free to read my article.

https://developer-blog.net/administration/ssl-zertifikat-installieren/

It is a detailed problem description in German language.