9

Hi have setup a small serve, generated a free certificate from Let's encrypt and configured Nginx to use that certificate (fullchain.pem and privkey.pem)

However, when I attempt to make a call from my Android app (with OkHttp3) I get this error

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

Is Let's encrypt root certificate not trusted by the Android cert trust store? Or did I miss something when setting up nginx? What is a work around for this If i still want to use Let's encrypt certificates?

Johny19
  • 5,364
  • 14
  • 61
  • 99
  • "Is Let's encrypt root certificate not trusted by the Android cert trust store?" -- it will depend in part on the version of Android. Older devices are more likely to have issues. "Or did I miss something when setting up nginx?" -- test with a regular Web browser and see if the browser complains. "What is a work around for this" -- set up certificate pinning in OkHttp, pinning to the Let's Encrypt root certificate. – CommonsWare Aug 03 '17 at 15:47
  • 1
    Using a regular android browser works just fine.Looks like it is more an issue with JDK trust store :/ – Johny19 Aug 03 '17 at 16:01
  • did you find a solution for this ? I have the same problem – jaumard Nov 21 '17 at 19:37
  • Any updates on the issue? I am facing the same problem too! – Rahul Shukla Dec 12 '17 at 09:34
  • I think I had gave up and manually imported my certificate in the trust store (just for testing) – Johny19 Dec 12 '17 at 15:19
  • same issue here, did you solve it ? – Mohammed Riyadh Jan 08 '18 at 07:06

2 Answers2

5

I'm not sure it's useful but, the /etc/letsencrypt/live/<your domain>/README file says:

This directory contains your keys and certificates.

privkey.pem : the private key for your certificate.

fullchain.pem: the certificate file used in most server software.

chain.pem : used for OCSP stapling in Nginx >=1.3.7.

cert.pem : will break many server configurations, and should not be used without reading further documentation (see link below).

We recommend not moving these files. For more information, see the Certbot User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

So maybe you should be using chain.pem?

On the other hand, for those not even using Nginx, I was getting the same error from Android because I mistakenly used chain.pem instead of fullchain.pem. One of the solutions for Android apps require you send the whole chain of certificates (i.e.: fullchain.pem), as explained here:

https://developer.android.com/training/articles/security-ssl.html#CommonHostnameProbs

There are two approaches to solve this issue:

  • Configure the server to include the intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers. This is the only approach if you need the site to work with default Android browsers at least through Android 4.2.

  • Or, treat the intermediate CA like any other unknown CA, and create a TrustManager to trust it directly, as done in the previous two sections.

Hope it helps.

maganap
  • 2,414
  • 21
  • 24
0

In let's encrypt user guide:

If you’re using OCSP stapling with Nginx >= 1.3.7, chain.pem should be provided as the ssl_trusted_certificate to validate OCSP responses.

For others who are using Apache, check your apache version. For one of my server I set up. I was using Apache < 2.4.8. In let's encrypt user guide:

cert.pem contains the server certificate by itself, and chain.pem contains the additional intermediate certificate... 
Apache < 2.4.8 needs these for SSLCertificateFile and SSLCertificateChainFile, respectively.

So, for SSLCertificateFile, use cert.pem; for SSLCertificateChainFile use chain.pem.

I originally using fullchain.pem for SSLCertificateFile only. it worked for most browsers, and iOS. But Android complained about it with the above error.

Separately configuring the cert and chain in Apache, all platforms work well.

Quickpick
  • 163
  • 6
  • I don't remember what was the problem or how I fixed but I remember it was something between the screen and the chair – Alexis May 28 '19 at 10:01