Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I fix the "No certificates found - The app Chrome has requested a certificate" Android / Google Chrome issue

The issue

Some of our website users are encountering an issue when accessing secure areas of our website, on Android devices, in Google Chrome.

It looks like this;

No certificates found' error, as seen in Chrome on Samsung Galaxy S6 (Android v5)

I've been able to replicate the issue on the following devices using Browserstack's physical device testing;

  • Samsung Galaxy S6, Samsung Galaxy S5, Samsung Galaxy S4 (Android v5 and v4.4)
  • Nexus 6 (Android v6, v5 and v4.4)
  • Moto X 2nd Gen (Android v6 and v5)

My research

All the articles, forums and questions that I've read online (and there aren't many, unless I'm searching for the wrong thing) point to server and / or SSL certificate setup and configuration, and that the issue being experienced is by design.

Suggested fix 1

The most useful article I've found so far is Issue 268055 "No Certificates Found" on the chromium issue tracker.

Comment 18 suggests changing SSL settings in IIS;

I can fix the issue if you have access to IIS. Basically you need to go to SSL Settings and make sure Require SSL is unchecked and that "Ignore" is selected for Client Certificates.

Comment 28 backs it up;

For the non-Googler case, this error message only occurs when you encounter a site that requests a client certificate. There's nothing that Chrome can do here - the site has requested a client certificate, and to even know if a client certificate is valid, Chrome for Android has to ask the OS. That's the prompt you're seeing - it's controlled by Android and all apps (Google or otherwise) are required to go through that flow.

This will occur with any site configured to request client certificates, so to resolve this, either don't request client certificates, or configure your Android devices to have client certificates (e.g. via a device management application or via installing a PKCS#12 file).

kamakshi: This is all "By Design" behaviour, but requires server operators to change, so I'm not sure what to do with this bug.

As does comment 43;

I don't think people on this bug would know much about configuring IIS. You'd want to talk with Microsoft about that. From searching around, "Ignore Client Certificate" seems to be the option you want.

We've done that but it doesn't seem to have made a difference.

IIS SSL settings

IIS SSL settings

Suggested fix 2

Another question here on Stack ("certificate trusted on pc but not in android") suggests that an intermediate certificate might be missing;

You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

I've checked and we have a domain certificate (which isn't a wildcard certificate), an intermediate certificate and a root certificate, so I don't think that's the issue either. I've also run a site checker test on the Networking4all website, and an SSL test on the Qualys SSL website and they both path without errors or warnings.

My question

Has anyone else encountered this issue? Are there any other solutions that we can try to fix it? I'm out of ideas at this point so any advice would be hugely appreciated.

Some extra details just in case

The server the website is on is running Windows Server 2008 R2 and IIS 7.5, and our SSL certificate provider is Thawte.

Thanks in advance!

like image 277
LHKC Avatar asked May 03 '16 13:05

LHKC


People also ask

Why is chrome asking for a certificate?

Update Chrome and your operating system: Sometimes an SSL certificate error can simply be due to using an outdated version of Chrome. To make sure yours is up-to-date, click on the menu. If you have an old version of the browser, you will see an “Update Google Chrome” option.


1 Answers

Having just resolved this exact same issue, here's what I found...

Server Specs (essentially the same as O.P)

  • Windows Server 2008 r2
  • IIS 7.5
  • SSL Provider: GeoTrust RapidSSL

First Issue: Out of Date Cryptographic Policies

Several articles pointed out the server may have out of date cryptographic policies. A bit of research revealed everything must be configured using registry settings. See the MS Support article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll for detailed information.

Not sure if your sever is up to date? SSL Labs' Server Test is a great tool for validating your site's cryptographic policies.

Manually Edit the Registry?

The MS Support article details editing the registry keys. Aack! A bit more research and I found a great utility called IIS Crypto by Nartac Software that will update all the registry keys in a single click. FYI: a reboot is required as well.

From the Nartac Software site:

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Second Issue: Incorrect IIS SSL Site Settings

The root of this issue due to the default of IIS setting the SSL Settings to "Accept" Client certificates. There is no need to accept client certs, so simply set the setting as "Ignore" (from the O.P.'s suggested fix #1 image).

Note: The image shows "Require SSL" is unchecked; for this discussion, whether it is checked is not relevant. All that matters is the site can connect using https.

Ignore Client certificates in IIS

Wrap Up

Once the server has the cryptographic policies reconfigured and the IIS SSL Settings have been set to ignore client certs, the "No certificates found" error will be resolved.

like image 162
Metro Smurf Avatar answered Sep 20 '22 19:09

Metro Smurf