SyntaxFix

[android] Certificate is trusted by PC but not by Android

Since this morning, my certificate is not trusted anymore on Android and then my application cannot connect anymore: 

 Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
 javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)

If I try in Google Chrome (on PC) there's no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn't trusted. What can I do?

This question is related to android ssl-certificate

The answer is

I encountered this same issue under Apache 2.2 when I was trying to use multiple SSLCertificateChainFile directives for each intermediate cert; instead I needed to concatenate all three into a single file. Coming from GoDaddy where they'd done this for me as a "bundle" this extra step was new to me, but a re-reading of the Apache documentation made this apparent.

Worth noting, this directive is deprecated as of Apache 2.4.8 since you can now concatenate all the intermediates with the actual cert.

You have to create a crt bundle then it will be fine. You will be receiving three crt files. Use them all! If you only used the domain.crt then there will be warning on android but not on PC.

I am on nginx. I opened domain_name.crt and then opened positivesslca2.crt, select all and copy to the end of domain_name.crt. Then open AddTrustExternalCARoot.crt, copy to the end of domain_name.crt again. Then install the domain_name.crt

works good.

I had the same issue and my issue was the device not having the right date and time. Once I fixed that the certificate is being trusted.

With Comodo PositiveSSL we have received 4 files.

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • our_domain.crt

When we followed the instructions on comodo site - we would get an error that our certificate was missing an intermediate certificate file.

Basically the syntax is

cat our_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  AddTrustExternalCARoot.crt > domain-ssl_bundle.crt

I hope i am not too late, this solution here worked for me, i am using COMODO SSL, the above solutions seem invalid over time, my website lifetanstic.co.ke

Instead of contacting Comodo Support and gain a CA bundle file You can do the following:

When You get your new SSL cert from Comodo (by mail) they have a zip file attached. You need to unzip the zip-file and open the following files in a text editor like notepad:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Then copy the text of each ".crt" file and paste the texts above eachother in the "Certificate Authority Bundle (optional)" field.

After that just add the SSL cert as usual in the "Certificate" field and click at "Autofil by Certificate" button and hit "Install".

With Godaddy certs you most likely will have a domain.key, gd_bundle_something.crt and (random alphanumeric string) 4923hg4k23jh4.crt

You'll need to: cat gd_bundle_something.crt >> 4923hg4k23jh4.crt

And then, on nginx, you will use 

ssl                  on;
ssl_certificate      /etc/ssl/certs/4923hg4k23jh4.crt;
ssl_certificate_key  /etc/ssl/certs/domain.key;

Make sure you also use your intermediate crt (.crt file with a bundle.. some providers also call it bundle or ca certificate). then in your ssl.conf,

SSLCertificateFile </path/for/actual/certificate>

SSLCACertificateFile </path/for/actual/intermediate_certificate>

then restart your webserver :ex for apache use :

sudo service httpd restart

Adding this here as it might help someone. I was having problems with Android showing the popup and invalid certificate error.

We have a Comodo Extended Validation certificate and we received the zip file that contained 4 files:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSAExtendedValidationSecureServerCA.crt
  • www_mydomain_com.crt

I concatenated them together all on one line like so:

cat www_mydomain_com.crt COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >www.mydomain.com.ev-ssl-bundle.crt

Then I used that bundle file as my ssl_certificate_key in nginx. That's it, works now.

Inspired by this gist: https://gist.github.com/ipedrazas/6d6c31144636d586dcc3

I've recently ren into this issue with Commodo cert I bought on ssls.com and I've had 3 files:

domain-name.ca-bundle domain-name.crt and domain-name.p7b

I've had to set it up on Nginx and this is the command I ran:

cat domain-name.ca-bundle domain-name.crt > commodo-ssl-bundle.crt

I then used commodo-ssl-bundle.crt inside the Nginx config file and works like a charm.

I had a similar problem and wrote a detailed article about it. If anyone has the same problem, feel free to read my article.

https://developer-blog.net/administration/ssl-zertifikat-installieren/

It is a detailed problem description in German language.

could be that you're missing the certificate on your device.

try looking at this answer: How to install trusted CA certificate on Android device? to see how to install the CA on your own device.

I had the same problem. Another way to generate the correct .crt file is like this:

Sometimes you get a .PEM file with an entire certificate chain inside. The file may look like this....

-----BEGIN RSA PRIVATE KEY-----
blablablabase64private...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT1...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT2...
-----END CERTIFICATE-----
...

If you remove the entire private key section, you will have a valid chained .crt

I had the same error because I didn't issued a Let's Encrypt cert for the www.my-domain.com, only for my-domain.com

Issuing also for the www. and configuring the vhost to load certificates for www.my-domain.com before redirecting to https://my-domain.com did the trick.

Source: Stackoverflow.com

Examples related to android

Under what circumstances can I call findViewById with an Options Menu / Action Bar item? How to implement a simple scenario the OO way My eclipse won't open, i download the bundle pack it keeps saying error log getting " (1) no such column: _id10 " error java doesn't run if structure inside of onclick listener Cannot retrieve string(s) from preferences (settings) strange error in my Animation Drawable how to put image in a bundle and pass it to another activity FragmentActivity to Fragment A failure occurred while executing com.android.build.gradle.internal.tasks

Examples related to ssl-certificate

How to install OpenSSL in windows 10? Scraping: SSL: CERTIFICATE_VERIFY_FAILED error for http://en.wikipedia.org Not able to install Python packages [SSL: TLSV1_ALERT_PROTOCOL_VERSION] Letsencrypt add domain to existing certificate javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure bypass invalid SSL certificate in .net core How to add Certificate Authority file in CentOS 7 How to use a client certificate to authenticate and authorize in a Web API This certificate has an invalid issuer Apple Push Services iOS9 getting error “an SSL error has occurred and a secure connection to the server cannot be made”

Tags

Sdl Doctype Eye-tracking Xmlconvert Gsl Srgb Janrain Dynamic-scope Wspbuilder Viper Default-programs Reasoning Custom-scrolling Svnant Text-decorations Hornetq Referer Database-comparison Desktop-background Smb Catalog Atomikos Code-cleanup Jail Nscollectionviewitem Servermanager Server-communication External-js Extending Android Codecave Youtube.net-api Expression-web Dialect2 Apng Authlogic-oauth Drupal-theming Zend-server-installation Direct3d10 Visual-c++-2008 Webdev.webserver Libgdx Fcmp Objectiveresource Actionlistener Key-events 68000 Hotcocoa Gh-unit Google-talk Ecma262 Hwnd Asprepeater Selflanguage Solr Mb-convert-encoding Slots Delphi-prism Sizetofit Nscollectionview Url-mapping Text2image Ora-00918 Profiling Canexecute Des Doctrine .net-1.0 Qa Stencil-buffer Setvalue Punbb Radiant Avassetwriter Httpurlconnection Blind Mds-cs Web.sitemap Llblgen Urldecode Offline-browsing B-method Resolutions Assemblyfileversion Domxpath Datatemplate Flextable Xmlblaster D Cobertura Javarebel Asadmin Winexe Cons Epl Checkin Qwebpage Data-extraction Lwp Codeguard