android does not trust a certificate

Question

I run openssl s_client -connect mywishboard.com:443 | openssl x509 -noout -subject -issuer and i get following information about certificate (setted by client developer)

depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = mywishboard.com
verify return:1
subject= /CN=mywishboard.com
issuer= /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA

Then I check go to Settings/system/trusted certificats and see that StartCom Ltd is among them

However, when I am tring to make https requests, they throws

javax.net.ssl.SSLHandshakeException:
java.security.cert.CertPathValidatorException: 
Trust anchor for certification path not found

If I use curl -I https://mywishboard.com/xxx, it returns

curl: (60) server certificate verification failed. CAfile: /etc/ssl
/certs/ca-certificates.crt CRLfile: none

Is that certificate malformed, or I need explicitly install it to android device?(But as I understand, if certificate is signed with trusted CA issuer, than I don't need to install it, am I right?)

The CA is not StarCom is GoDaddy.. check the certificate again. — vzamanillo, Apr 25 '16 at 11:31
@vzamanillo just checked: `issuer= /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA` or i am checking in wrong way? (I use openssl s_client -connect mywishboard.com:443) — Yarh, Apr 25 '16 at 11:38
Connect simply to https URL without port and check the cert again — vzamanillo, Apr 25 '16 at 12:37
@vzamanillo it returns `no port defined` if i does not specify port — Yarh, Apr 25 '16 at 12:43
See http://stackoverflow.com/questions/6825226/trust-anchor-not-found-for-android-ssl-connection — David Wasser, Apr 25 '16 at 12:51

score 3 · Accepted Answer · answered Apr 25 '16 at 12:54

The website does not provide an intermediate certificate that is required to complete the certificate chain. Some clients, like Android, are unable to build the complete certificate path and do not trust the certificate when this happens.

If you are the site admin, the correct way to address this is to download and supply the intermediate certificate so that the complete chain is sent.

score 2 · Answer 2 · answered Apr 25 '16 at 12:28

There are two potential issues:

The Root CA used is "Go Daddy Root Certificate Authority - G2 " which might not be available in your Android device.
The server is not presenting the Intermediate CA "Go Daddy Secure Certificate Authority - G2". The server certificate was issued by the Intermediate CA "Go Daddy Secure Certificate Authority - G2" that was issued by the Root CA "Go Daddy Root Certificate Authority - G2". For web servers this is not a problem as they are able to download the intermediate CA using the AIA extension from the server certificate but your Java application won't, unless you develop this functionality.

android does not trust a certificate

2 Answers2