Android ssl certificate error after renewing the certificate in server using digicert

最后都变了- 提交于 2021-02-06 13:58:12

问题


I have been using the ssl certificate key provided by the server team in android application under raw folder.It was working fine initially.

     CertificateFactory cf = CertificateFactory.getInstance("X.509");

        InputStream caInputMmx = new BufferedInputStream(this.getAssets().open("123.crt"));
        Certificate caMmx = cf.generateCertificate(caInputMmx);
        String keyStoreType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("caMmx", caMmx);
        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);
        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, tmf.getTrustManagers(), null);
        client.setSslSocketFactory(context.getSocketFactory());

After some days ,the certificate got expired and the server team renewed the certificate.From that point of time our android application stopped working with below exception

com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

On using the new renewed certificate from server our application works fine .Is there any workaround to fix this from server rather updating the new certificate in application every time ? Because if the user does not update the application , our app is not going to work. So is there any way to solve this issue instead of updating the cert in application every time if the certificate is expired .

Edited :

After comments , providing some additional informations .

Keystore : I am using default keystore . CA : I am using digicert CA.These guys are trusted .


回答1:


This kind of problem is often caused by a missing chain certificate. Check your site against SSLLabs and look for reports of incomplete chain. Note that desktop browser like Chrome might still work because they cache chain certificates from earlier connections and sometimes even actively try to retrieve missing chain certificates from the internet.



来源:https://stackoverflow.com/questions/40023948/android-ssl-certificate-error-after-renewing-the-certificate-in-server-using-dig

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!