Certificate is trusted by PC but not by Android

Question

Since this morning, my certificate is not trusted anymore on Android and then my application cannot connect anymore:

 Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
 javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)

If I try in Google Chrome (on PC) there's no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn't trusted. What can I do?

You are communicating with secured server i.e. (Https)? – Mohsin Naeem Jul 05 '12 at 08:16 — Mohsin Naeem, Jul 05 '12 at 08:16
yes indeed, just try the link, you'll see the certificate – Alexis Jul 05 '12 at 08:19 — Alexis, Jul 05 '12 at 08:19

Luceos · Accepted Answer · 2018-11-19T09:57:04.237

96

You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider): http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate

I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA's to work. Once done no errors occurred anymore.

Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

And here is a list of the most common installation guides by Commodo themselves: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

Depending on what webserver you are using, you'll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order:

domain certificate
intermediate certificate
root certificate

An easy way of doing this in an SSH terminal is by typing:

cat domainfile intermediatefile rootfile > targetfile

Certificate test tool

If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: networking4all.com/en/ssl+certificates/quickscan

SNI support for android 2.2 and lower

Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNI for more information on this issue.

edited Nov 19 '18 at 09:57

answered Jul 05 '12 at 08:26

Luceos

6,629
1
35
65

+1, this worked for my issue with 2.3.X devices since they seem to have an issue with order of chained verification (I'm pretty noob when it comes to certs) and by having this new bundle with the right order (via combination like @Luceos suggested) worked like a charm. Thanks – Armando Jan 16 '14 at 17:06
You're welcome, we also use it on a regular basis. Especially because it validates more than just an intermediate certificate. Happy that I could be of help. – Luceos Sep 23 '14 at 07:20
the link for comodo is dead – gfaceless Jun 30 '15 at 08:24
Also keep in mind that Android 2.2 doesn't support SNI, and this can lead to certificate handshake failure (the wrong certificate might be returned). – Niki Romagnoli Aug 04 '15 at 09:53
Thanks @TechNyquist SNI is not supported from 2.2 and below, added that information to the answer. – Luceos Aug 04 '15 at 09:58
Your Bundle suggestion work with Apache or nginx as reverse proxy? – Felipe Alvarez Aug 08 '15 at 00:26
Depends on you setup. Either the proxy or the end server will serve the certificate and should have it configured properly. @felipealvarez – Luceos Aug 08 '15 at 06:09
Here are up-to-date instructions for Comodo + nginx https://gist.github.com/bradmontgomery/6487319 – Harrison Powers Sep 23 '15 at 17:15
1

Thanks for the explanation. I have a Thawte certificate and I had to login on their website, click on "View Order Information". The email sent contains a link where the intermediate certificate can be downloaded in "Additional Certificates". – Guillaume Renoult Nov 23 '15 at 06:14
1

This worked for my OpenMediaVault NAS and my phone running Marshmallow. Edited the certificate on the server, appended the intermediate certs, saved it, and restarted the web interface, and Chrome on my phone went from "issuer not trusted" to being fat and happy with the cert. Thanks! – Doktor J Apr 08 '16 at 04:21
New link to site checker is https://www.networking4all.com/en/ssl+certificates/quickscan/. – doak Nov 16 '18 at 21:11

score 19 · Answer 2 · edited Dec 12 '13 at 17:25

19

You have to create a crt bundle then it will be fine. You will be receiving three crt files. Use them all! If you only used the domain.crt then there will be warning on android but not on PC.

I am on nginx. I opened domain_name.crt and then opened positivesslca2.crt, select all and copy to the end of domain_name.crt. Then open AddTrustExternalCARoot.crt, copy to the end of domain_name.crt again. Then install the domain_name.crt

works good.

edited Dec 12 '13 at 17:25

BenMorel

34,448
50
182
322

answered Dec 02 '12 at 20:49

dallas

191
1
3

This looks like the solution I'm looking for, but it still does not work for me. I am also on nginx with a godaddy certificate. godaddy has 3 certs: domain.crt, intermediate.crt, and bundle.crt. Do you know which is the correct order according to your answer? i.e. domain > intermediate > bundle or domain > bundle > intermediate? for some reason neither works for me. – isapir Jan 06 '14 at 08:13
Apparently bundle.crt is the [intermediate.crt + root.crt] concatenated so that seems to be the correct order. But I still can't get it to work. Any ideas? Thanks. – isapir Jan 06 '14 at 09:18
You don't need the root, that's already bundled into the OS. You just need the intermediate chain. Order should be yours + intermediate. – dalore Aug 20 '14 at 10:49

score 9 · Answer 3 · answered Jun 18 '15 at 15:44

9

Adding this here as it might help someone. I was having problems with Android showing the popup and invalid certificate error.

We have a Comodo Extended Validation certificate and we received the zip file that contained 4 files:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSAExtendedValidationSecureServerCA.crt
www_mydomain_com.crt

I concatenated them together all on one line like so:

cat www_mydomain_com.crt COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >www.mydomain.com.ev-ssl-bundle.crt

Then I used that bundle file as my ssl_certificate_key in nginx. That's it, works now.

Inspired by this gist: https://gist.github.com/ipedrazas/6d6c31144636d586dcc3

answered Jun 18 '15 at 15:44

k00k

17,314
13
59
86

1

I've tried all the other suggested steps. This worked for me. Thanks! – ericbae Aug 12 '15 at 00:01
1

Good work, been googling like crazy and this fixed it. – Olafur Tryggvason Sep 17 '15 at 17:13
Thanks, and if anyone else is using Namecheap make sure it is in this format: `cat *yourdomainname*.crt *yourdomainname*.ca-bundle > cert_chain.crt` – Harry Oct 07 '19 at 11:36

score 2 · Answer 4 · answered Jan 27 '17 at 20:42

2

I had the same issue and my issue was the device not having the right date and time. Once I fixed that the certificate is being trusted.

answered Jan 27 '17 at 20:42

Boon

40,656
60
209
315

score 1 · Answer 5 · answered Sep 29 '15 at 10:11

With Comodo PositiveSSL we have received 4 files.

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
our_domain.crt

When we followed the instructions on comodo site - we would get an error that our certificate was missing an intermediate certificate file.

Basically the syntax is

cat our_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  AddTrustExternalCARoot.crt > domain-ssl_bundle.crt

score 1 · Answer 6 · answered Dec 12 '16 at 10:51

I've recently ren into this issue with Commodo cert I bought on ssls.com and I've had 3 files:

domain-name.ca-bundle domain-name.crt and domain-name.p7b

I've had to set it up on Nginx and this is the command I ran:

cat domain-name.ca-bundle domain-name.crt > commodo-ssl-bundle.crt

I then used commodo-ssl-bundle.crt inside the Nginx config file and works like a charm.

score 1 · Answer 7 · answered Mar 14 '17 at 20:00

I had the same error because I didn't issued a Let's Encrypt cert for the www.my-domain.com, only for my-domain.com

Issuing also for the www. and configuring the vhost to load certificates for www.my-domain.com before redirecting to https://my-domain.com did the trick.

score 0 · Answer 8 · answered Sep 22 '14 at 17:15

I encountered this same issue under Apache 2.2 when I was trying to use multiple SSLCertificateChainFile directives for each intermediate cert; instead I needed to concatenate all three into a single file. Coming from GoDaddy where they'd done this for me as a "bundle" this extra step was new to me, but a re-reading of the Apache documentation made this apparent.

Worth noting, this directive is deprecated as of Apache 2.4.8 since you can now concatenate all the intermediates with the actual cert.

score 0 · Answer 9 · answered May 20 '15 at 16:00

I hope i am not too late, this solution here worked for me, i am using COMODO SSL, the above solutions seem invalid over time, my website lifetanstic.co.ke

Instead of contacting Comodo Support and gain a CA bundle file You can do the following:

When You get your new SSL cert from Comodo (by mail) they have a zip file attached. You need to unzip the zip-file and open the following files in a text editor like notepad:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt

Then copy the text of each ".crt" file and paste the texts above eachother in the "Certificate Authority Bundle (optional)" field.

After that just add the SSL cert as usual in the "Certificate" field and click at "Autofil by Certificate" button and hit "Install".

dazito · Answer 10 · 2016-04-03T01:18:39.310

0

With Godaddy certs you most likely will have a domain.key, gd_bundle_something.crt and (random alphanumeric string) 4923hg4k23jh4.crt

You'll need to: cat gd_bundle_something.crt >> 4923hg4k23jh4.crt

And then, on nginx, you will use

ssl                  on;
ssl_certificate      /etc/ssl/certs/4923hg4k23jh4.crt;
ssl_certificate_key  /etc/ssl/certs/domain.key;

edited Apr 03 '16 at 01:18

answered Mar 30 '16 at 13:31

dazito

7,740
15
75
117

David Valdivieso · Answer 11 · 2016-04-12T06:44:10.610

I had the same problem. Another way to generate the correct .crt file is like this:

Sometimes you get a .PEM file with an entire certificate chain inside. The file may look like this....

-----BEGIN RSA PRIVATE KEY-----
blablablabase64private...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT1...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT2...
-----END CERTIFICATE-----
...

If you remove the entire private key section, you will have a valid chained .crt

score 0 · Answer 12 · answered Jun 02 '17 at 22:11

Make sure you also use your intermediate crt (.crt file with a bundle.. some providers also call it bundle or ca certificate). then in your ssl.conf,

SSLCertificateFile </path/for/actual/certificate>

SSLCACertificateFile </path/for/actual/intermediate_certificate>

then restart your webserver :ex for apache use :

sudo service httpd restart

score -1 · Answer 13 · edited May 23 '17 at 11:54

-1

could be that you're missing the certificate on your device.

try looking at this answer: How to install trusted CA certificate on Android device? to see how to install the CA on your own device.

edited May 23 '17 at 11:54

Community

1
1

answered Jul 05 '12 at 08:23

thepoosh

12,497
15
73
132

My certificate is issued by PositiveSSL CA / Comodo CA Limited and in my trusted credentials on my phone I can see 3 Comodo CA Limited (AAA Certification Authority, COMODO Certification Authority and COMODO ECC Certification Authority) – Alexis Jul 05 '12 at 08:35

score -1 · Answer 14 · answered Jun 03 '15 at 20:31

I had a similar problem and wrote a detailed article about it. If anyone has the same problem, feel free to read my article.

https://developer-blog.net/administration/ssl-zertifikat-installieren/

It is a detailed problem description in German language.

Certificate is trusted by PC but not by Android

14 Answers14

Certificate test tool

SNI support for android 2.2 and lower

Linked