Certificate is trusted by PC but not by Android

Question

Since this morning  my certificate is not trusted anymore on Android and then my application cannot connect anymore     Catch exception while startHandshake  javax net ssl SSLHandshakeException  java security cert CertPathValidatorException  Trust anchor for certification path not found   return an invalid session with invalid cipher suite of SSL NULL WITH NULL NULL  javax net ssl SSLPeerUnverifiedException  No peer certificate     at org apache harmony xnet provider jsse SSLSessionImpl getPeerCertificates SSLSessionImpl java 137      at org apache http conn ssl AbstractVerifier verify AbstractVerifier java 93      at org apache http conn ssl SSLSocketFactory createSocket SSLSocketFactory java 381      at org apache http impl conn DefaultClientConnectionOperator openConnection DefaultClientConnectionOperator java 165      at org apache http impl conn AbstractPoolEntry open AbstractPoolEntry java 164      at org apache http impl conn AbstractPooledConnAdapter open AbstractPooledConnAdapter java 119      at org apache http impl client DefaultRequestDirector execute DefaultRequestDirector java 360      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 591      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 807      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 781      at org apache http impl client AbstractHttpClient execute AbstractHttpClient java 770    If I try in Google Chrome  on PC  there s no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn t trusted  What can I do

User · Answer

Make sure you also use your intermediate crt (.crt file with a bundle.. some providers also call it bundle or ca certificate). then in your ssl.conf,

SSLCertificateFile </path/for/actual/certificate>

SSLCACertificateFile </path/for/actual/intermediate_certificate>

then restart your webserver :ex for apache use :

sudo service httpd restart

User · Answer

I had the same error because I didn t issued a Let s Encrypt cert for the www my-domain com  only for my-domain com  Issuing also for the www  and configuring the vhost to load certificates for www my-domain com before redirecting to https   my-domain com did the trick

User · Answer

I ve recently ren into this issue with Commodo cert I bought on ssls com and I ve had 3 files   domain-name ca-bundle domain-name crt and domain-name p7b  I ve had to set it up on Nginx and this is the command I ran   cat domain-name ca-bundle domain-name crt  gt  commodo-ssl-bundle crt   I then used commodo-ssl-bundle crt inside the Nginx config file and works like a charm

User · Answer

could be that you re missing the certificate on your device   try looking at this answer  How to install trusted CA certificate on Android device  to see how to install the CA on your own device

User · Answer

I had a similar problem and wrote a detailed article about it  If anyone has the same problem  feel free to read my article   https   developer-blog net administration ssl-zertifikat-installieren   It is a detailed problem description in German language

User · Answer

Adding this here as it might help someone  I was having problems with Android showing the popup and invalid certificate error   We have a Comodo Extended Validation certificate and we received the zip file that contained 4 files    AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSAExtendedValidationSecureServerCA crt www mydomain com crt   I concatenated them together all on one line like so   cat www mydomain com crt COMODORSAExtendedValidationSecureServerCA crt COMODORSAAddTrustCA crt AddTrustExternalCARoot crt  gt www mydomain com ev-ssl-bundle crt  Then I used that bundle file as my ssl certificate key in nginx  That s it  works now    Inspired by this gist  https   gist github com ipedrazas 6d6c31144636d586dcc3

User · Answer

You might be missing an intermediate certificate in your cert file  If you have already visited another website which has the same certificate seller  the intermediate certificate is remembered in your browser  This might not - or even better - will not be the case with every visitor to your website  To solve a missing intermediate certificate in the SSL connection  you will need to add the intermediate certificate to your own certificate file   GoDaddy has some info on the intermediate certificates  but the best source is always your certificate provider   http   support godaddy com help article 868 what-is-an-intermediate-certificate  I once had this issue of an intermediate cert  with Commodo too  and had to combine my own cert file with the intermediate CA s to work  Once done no errors occurred anymore   Installation instructions per webserver by Godaddy  http   support godaddy com help article 5346 installing-an-ssl-server-instructions locale en  And here is a list of the most common installation guides by Commodo themselves  https   support comodo com index php  Default Knowledgebase Article View 1145 0 how-do-i-make-my-own-bundle-file-from-crt-files  Depending on what webserver you are using  you ll need to specify all certificates  domain certificate  intermediate and root  or combine them into one  eg for Nginx  in the order     domain certificate intermediate certificate root certificate   An easy way of doing this in an SSH terminal is by typing    cat domainfile intermediatefile rootfile  gt  targetfile     Certificate test tool  If you encounter further problems or are unsure whether the certificate is correct  please try an online tool to verify your SSL certificate  For instance  networking4all com en ssl certificates quickscan   SNI support for android 2 2 and lower  Please note android 2 2  and probably older  do not support SNI  which allows multiple SSL certificates for different hostnames to work without issues on one single IP address  Thanks to  technyquist for providing that information  Please review this SO question about SNI for more information on this issue

User · Answer

I hope i am not too late  this solution here worked for me  i am using COMODO SSL  the above solutions seem invalid over time  my website lifetanstic co ke  Instead of contacting Comodo Support and gain a CA bundle file You can do the following   When You get your new SSL cert from Comodo  by mail  they have a zip file attached  You need to unzip the zip-file and open the following files in a text editor like notepad   AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSADomainValidationSecureServerCA crt   Then copy the text of each   crt  file and paste the texts above eachother in the  Certificate Authority Bundle  optional   field   After that just add the SSL cert as usual in the  Certificate  field and click at  Autofil by Certificate  button and hit  Install

User · Answer

With Comodo PositiveSSL we have received 4 files    AddTrustExternalCARoot crt COMODORSAAddTrustCA crt  COMODORSADomainValidationSecureServerCA crt     our domain crt   When we followed the instructions on comodo site - we would get an error that our certificate was missing an intermediate certificate file    Basically the syntax is  cat our domain crt COMODORSADomainValidationSecureServerCA crt COMODORSAAddTrustCA crt  AddTrustExternalCARoot crt  gt  domain-ssl bundle crt

User · Answer

I had the same issue and my issue was the device not having the right date and time  Once I fixed that the certificate is being trusted

User · Answer

You have to create a crt bundle then it will be fine  You will be receiving three crt files  Use them all  If you only used the domain crt then there will be warning on android but not on PC   I am on nginx  I opened domain name crt and then opened positivesslca2 crt  select all and copy to the end of domain name crt  Then open AddTrustExternalCARoot crt  copy to the end of domain name crt again  Then install the domain name crt  works good

User · Answer

I encountered this same issue under Apache 2 2 when I was trying to use multiple SSLCertificateChainFile directives for each intermediate cert  instead I needed to concatenate all three into a single file   Coming from GoDaddy where they d done this for me as a  bundle  this extra step was new to me  but a re-reading of the Apache documentation made this apparent   Worth noting  this directive is deprecated as of Apache 2 4 8 since you can now concatenate all the intermediates with the actual cert

User · Answer

With Godaddy certs you most likely will have a domain key  gd bundle something crt and  random alphanumeric string  4923hg4k23jh4 crt  You ll need to  cat gd bundle something crt  gt  gt  4923hg4k23jh4 crt  And then  on nginx  you will use   ssl                  on  ssl certificate       etc ssl certs 4923hg4k23jh4 crt  ssl certificate key   etc ssl certs domain key

User · Answer

I had the same problem  Another way to generate the correct  crt file is like this   Sometimes you get a  PEM file with an entire certificate chain inside  The file may look like this      -----BEGIN RSA PRIVATE KEY----- blablablabase64private    -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- blablablabase64CRT1    -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- blablablabase64CRT2    -----END CERTIFICATE-----       If you remove the entire private key section  you will have a valid chained  crt

[android] Certificate is trusted by PC but not by Android

Examples related to android

Examples related to ssl-certificate