Certificate is trusted by PC but not by Android

Question

Since this morning  my certificate is not trusted anymore on Android and then my application cannot connect anymore     Catch exception while startHandshake  javax net ssl SSLHandshakeException  java security cert CertPathValidatorException  Trust anchor for certification path not found   return an invalid session with invalid cipher suite of SSL NULL WITH NULL NULL  javax net ssl SSLPeerUnverifiedException  No peer certificate     at org apache harmony xnet provider jsse SSLSessionImpl getPeerCertificates SSLSessionImpl java 137      at org apache http conn ssl AbstractVerifier verify AbstractVerifier java 93      at org apache http conn ssl SSLSocketFactory createSocket SSLSocketFactory java 381      at org apache http impl conn DefaultClientConnectionOperator openConnection DefaultClientConnectionOperator java 165      at org apache http impl conn AbstractPoolEntry open AbstractPoolEntry java 164      at org apache http impl conn AbstractPooledConnAdapter open AbstractPooledConnAdapter java 119      at org apache http impl client DefaultRequestDirector execute DefaultRequestDirector java 360      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 591      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 807      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 781      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 770    If I try in Google Chrome  on PC  there s no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn t trusted  What can I do

User · Answer

With Comodo PositiveSSL we have received 4 files.

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
our_domain.crt

When we followed the instructions on comodo site - we would get an error that our certificate was missing an intermediate certificate file.

Basically the syntax is

cat our_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  AddTrustExternalCARoot.crt > domain-ssl_bundle.crt

User · Answer

I hope i am not too late  this solution here worked for me  i am using COMODO SSL  the above solutions seem invalid over time  my website lifetanstic co ke  Instead of contacting Comodo Support and gain a CA bundle file You can do the following   When You get your new SSL cert from Comodo  by mail  they have a zip file attached  You need to unzip the zip-file and open the following files in a text editor like notepad   AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSADomainValidationSecureServerCA crt   Then copy the text of each   crt  file and paste the texts above eachother in the  Certificate Authority Bundle  optional   field   After that just add the SSL cert as usual in the  Certificate  field and click at  Autofil by Certificate  button and hit  Install

User · Answer

You might be missing an intermediate certificate in your cert file  If you have already visited another website which has the same certificate seller  the intermediate certificate is remembered in your browser  This might not - or even better - will not be the case with every visitor to your website  To solve a missing intermediate certificate in the SSL connection  you will need to add the intermediate certificate to your own certificate file   GoDaddy has some info on the intermediate certificates  but the best source is always your certificate provider   http   support godaddy com help article 868 what-is-an-intermediate-certificate  I once had this issue of an intermediate cert  with Commodo too  and had to combine my own cert file with the intermediate CA s to work  Once done no errors occurred anymore   Installation instructions per webserver by Godaddy  http   support godaddy com help article 5346 installing-an-ssl-server-instructions locale en  And here is a list of the most common installation guides by Commodo themselves  https   support comodo com index php  Default Knowledgebase Article View 1145 0 how-do-i-make-my-own-bundle-file-from-crt-files  Depending on what webserver you are using  you ll need to specify all certificates  domain certificate  intermediate and root  or combine them into one  eg for Nginx  in the order     domain certificate intermediate certificate root certificate   An easy way of doing this in an SSH terminal is by typing    cat domainfile intermediatefile rootfile  gt  targetfile     Certificate test tool  If you encounter further problems or are unsure whether the certificate is correct  please try an online tool to verify your SSL certificate  For instance  networking4all com en ssl certificates quickscan   SNI support for android 2 2 and lower  Please note android 2 2  and probably older  do not support SNI  which allows multiple SSL certificates for different hostnames to work without issues on one single IP address  Thanks to  technyquist for providing that information  Please review this SO question about SNI for more information on this issue

User · Answer

I had the same error because I didn t issued a Let s Encrypt cert for the www my-domain com  only for my-domain com  Issuing also for the www  and configuring the vhost to load certificates for www my-domain com before redirecting to https   my-domain com did the trick

User · Answer

I had the same issue and my issue was the device not having the right date and time  Once I fixed that the certificate is being trusted

User · Answer

With Godaddy certs you most likely will have a domain key  gd bundle something crt and  random alphanumeric string  4923hg4k23jh4 crt  You ll need to  cat gd bundle something crt  gt  gt  4923hg4k23jh4 crt  And then  on nginx  you will use   ssl                  on  ssl certificate       etc ssl certs 4923hg4k23jh4 crt  ssl certificate key   etc ssl certs domain key

User · Answer

You have to create a crt bundle then it will be fine  You will be receiving three crt files  Use them all  If you only used the domain crt then there will be warning on android but not on PC   I am on nginx  I opened domain name crt and then opened positivesslca2 crt  select all and copy to the end of domain name crt  Then open AddTrustExternalCARoot crt  copy to the end of domain name crt again  Then install the domain name crt  works good

User · Answer

I encountered this same issue under Apache 2 2 when I was trying to use multiple SSLCertificateChainFile directives for each intermediate cert  instead I needed to concatenate all three into a single file   Coming from GoDaddy where they d done this for me as a  bundle  this extra step was new to me  but a re-reading of the Apache documentation made this apparent   Worth noting  this directive is deprecated as of Apache 2 4 8 since you can now concatenate all the intermediates with the actual cert

User · Answer

I had a similar problem and wrote a detailed article about it  If anyone has the same problem  feel free to read my article   https   developer-blog net administration ssl-zertifikat-installieren   It is a detailed problem description in German language

User · Answer

I had the same problem  Another way to generate the correct  crt file is like this   Sometimes you get a  PEM file with an entire certificate chain inside  The file may look like this      -----BEGIN RSA PRIVATE KEY----- blablablabase64private    -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- blablablabase64CRT1    -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- blablablabase64CRT2    -----END CERTIFICATE-----       If you remove the entire private key section  you will have a valid chained  crt

User · Answer

Make sure you also use your intermediate crt   crt file with a bundle   some providers also call it bundle or ca certificate   then in your ssl conf   SSLCertificateFile  lt  path for actual certificate gt   SSLCACertificateFile  lt  path for actual intermediate certificate gt    then restart your webserver  ex for apache use    sudo service httpd restart

User · Answer

I ve recently ren into this issue with Commodo cert I bought on ssls com and I ve had 3 files   domain-name ca-bundle domain-name crt and domain-name p7b  I ve had to set it up on Nginx and this is the command I ran   cat domain-name ca-bundle domain-name crt  gt  commodo-ssl-bundle crt   I then used commodo-ssl-bundle crt inside the Nginx config file and works like a charm

User · Answer

could be that you re missing the certificate on your device   try looking at this answer  How to install trusted CA certificate on Android device  to see how to install the CA on your own device

User · Answer

Adding this here as it might help someone  I was having problems with Android showing the popup and invalid certificate error   We have a Comodo Extended Validation certificate and we received the zip file that contained 4 files    AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSAExtendedValidationSecureServerCA crt www mydomain com crt   I concatenated them together all on one line like so   cat www mydomain com crt COMODORSAExtendedValidationSecureServerCA crt COMODORSAAddTrustCA crt AddTrustExternalCARoot crt  gt www mydomain com ev-ssl-bundle crt  Then I used that bundle file as my ssl certificate key in nginx  That s it  works now    Inspired by this gist  https   gist github com ipedrazas 6d6c31144636d586dcc3

[android] Certificate is trusted by PC but not by Android

Examples related to android

Examples related to ssl-certificate