问题
I have been using the ssl certificate key provided by the server team in android application under raw folder.It was working fine initially.
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInputMmx = new BufferedInputStream(this.getAssets().open("123.crt"));
Certificate caMmx = cf.generateCertificate(caInputMmx);
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("caMmx", caMmx);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
client.setSslSocketFactory(context.getSocketFactory());
After some days ,the certificate got expired and the server team renewed the certificate.From that point of time our android application stopped working with below exception
com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
On using the new renewed certificate from server our application works fine .Is there any workaround to fix this from server rather updating the new certificate in application every time ? Because if the user does not update the application , our app is not going to work. So is there any way to solve this issue instead of updating the cert in application every time if the certificate is expired .
Edited :
After comments , providing some additional informations .
Keystore : I am using default keystore . CA : I am using digicert CA.These guys are trusted .
回答1:
This kind of problem is often caused by a missing chain certificate. Check your site against SSLLabs and look for reports of incomplete chain. Note that desktop browser like Chrome might still work because they cache chain certificates from earlier connections and sometimes even actively try to retrieve missing chain certificates from the internet.
来源:https://stackoverflow.com/questions/40023948/android-ssl-certificate-error-after-renewing-the-certificate-in-server-using-dig