问题
Hi have setup a small serve, generated a free certificate from Let's encrypt and configured Nginx to use that certificate (fullchain.pem and privkey.pem)
However, when I attempt to make a call from my Android app (with OkHttp3) I get this error
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
Is Let's encrypt root certificate not trusted by the Android cert trust store? Or did I miss something when setting up nginx? What is a work around for this If i still want to use Let's encrypt certificates?
回答1:
I'm not sure it's useful but, the /etc/letsencrypt/live/<your domain>/README file says:
This directory contains your keys and certificates.
privkey.pem: the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem: used for OCSP stapling in Nginx >=1.3.7.
cert.pem: will break many server configurations, and should not be used without reading further documentation (see link below).We recommend not moving these files. For more information, see the Certbot User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
So maybe you should be using chain.pem?
On the other hand, for those not even using Nginx, I was getting the same error from Android because I mistakenly used chain.pem instead of fullchain.pem. One of the solutions for Android apps require you send the whole chain of certificates (i.e.: fullchain.pem), as explained here:
https://developer.android.com/training/articles/security-ssl.html#CommonHostnameProbs
There are two approaches to solve this issue:
Configure the server to include the intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers. This is the only approach if you need the site to work with default Android browsers at least through Android 4.2.
Or, treat the intermediate CA like any other unknown CA, and create a TrustManager to trust it directly, as done in the previous two sections.
Hope it helps.
回答2:
In let's encrypt user guide:
If you’re using OCSP stapling with Nginx >= 1.3.7, chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses.
For others who are using Apache, check your apache version. For one of my server I set up. I was using Apache < 2.4.8. In let's encrypt user guide:
cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate...
Apache < 2.4.8 needs these for SSLCertificateFile and SSLCertificateChainFile, respectively.
So, for SSLCertificateFile, use cert.pem; for SSLCertificateChainFile use chain.pem.
I originally using fullchain.pem for SSLCertificateFile only. it worked for most browsers, and iOS. But Android complained about it with the above error.
Separately configuring the cert and chain in Apache, all platforms work well.
来源:https://stackoverflow.com/questions/45488917/lets-encrypt-on-android-gives-java-security-cert-certpathvalidatorexception-tr