Menu
Hi have setup a small serve, generated a free certificate from Let's encrypt and configured Nginx to use that certificate (fullchain.pem and privkey.pem)
However, when I attempt to make a call from my Android app (with OkHttp3) I get this error
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
Is Let's encrypt root certificate not trusted by the Android cert trust store? Or did I miss something when setting up nginx? What is a work around for this If i still want to use Let's encrypt certificates?
776
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. Connecting to the same server with e-mail clients from other operating systems such as Windows works fine.
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. Create new certificate using cerbot. Configure your mail server to use it (the fullchain variant).
We’re happy to announce that we have developed a way for older Android devices to retain their ability to visit sites that use Let’s Encrypt certificates after our cross-signed intermediates expire. We are no longer planning any changes in January that may cause compatibility issues for Let’s Encrypt subscribers.
ArcGIS Collector (iOS) does not return any error, however, ArcGIS Collector (Android) displays the error, 'java.security.cert.CertPathValidatorException: Trust anchor for certification path not found'. The underlying issue is the SSL Settings on the Web Adaptor configured with the ArcGIS Server site.
I'm not sure it's useful but, the /etc/letsencrypt/live/<your domain>/README file says:
This directory contains your keys and certificates.
privkey.pem: the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem: used for OCSP stapling in Nginx >=1.3.7.
cert.pem: will break many server configurations, and should not be used without reading further documentation (see link below).We recommend not moving these files. For more information, see the Certbot User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
So maybe you should be using chain.pem?
On the other hand, for those not even using Nginx, I was getting the same error from Android because I mistakenly used chain.pem instead of fullchain.pem. One of the solutions for Android apps require you send the whole chain of certificates (i.e.: fullchain.pem), as explained here:
https://developer.android.com/training/articles/security-ssl.html#CommonHostnameProbs
There are two approaches to solve this issue:
Configure the server to include the intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers. This is the only approach if you need the site to work with default Android browsers at least through Android 4.2.
Or, treat the intermediate CA like any other unknown CA, and create a TrustManager to trust it directly, as done in the previous two sections.
Hope it helps.
85
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
