3

We use a chained certificate on our server, but when we try to establish a connection with an Android app, using Retrofit or HttpsURLConnection, it always fails with “javax.net.ssl.SSLHandshakeException: Trust anchor for certification path not found”.

Standard Android browser as well as desktop site or iOS app work without any problems, so we suppose SSL on the server is properly configured.

Our server (nginx) is set to return just (.crt) certificate, when we change its settings to return full-chain certificate (fullchain.pem) our app starts to work, but that’s not the way we want it to operate.

What are we doing wrong? Thank you for any help.

PS: We don't want disables SSL certificate chain checking

com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
com.android.okhttp.Connection.connectTls(Connection.java:235)
com.android.okhttp.Connection.connectSocket(Connection.java:199)
com.android.okhttp.Connection.connect(Connection.java:172)
com.android.okhttp.Connection.connectAndSetOwner(Connection.java:367)
com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:130)
com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:247)
com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:457)
com.android.okhttp.internal.huc.HttpURLConnectionImpl.connect(HttpURLConnectionImpl.java:126)
com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.connect(DelegatingHttpsURLConnection.java:89)
com.android.okhttp.internal.huc.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java)
com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.connect(TrackedHttpURLConnection.java:154)
com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.tryConnect(TrackedHttpURLConnection.java:8
com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.trackResponse(TrackedHttpURLConnection.jav
com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.tryTrackResponse(TrackedHttpURLConnection.
com.android.tools.profiler.support.network.httpurl.TrackedHttpURLConnection.getResponseCode(TrackedHttpURLConnection.j
com.android.tools.profiler.support.network.httpurl.HttpsURLConnection$.getResponseCode(HttpsURLConnection$.java:146)
Jakub Brecher
  • 71
  • 6

1 Answers1

-1

add this to your build.gradle:

implementation 'com.google.android.gms:play-services-auth:11.8.0'

add this before network request:

try {
            ProviderInstaller.installIfNeeded(getApplicationContext());
        } catch (GooglePlayServicesRepairableException e) {
            e.printStackTrace();
        } catch (GooglePlayServicesNotAvailableException e) {
            e.printStackTrace();
        }
Poorya Taghizade
  • 56
  • 2
  • 12
  • Doesn`t work. Why old version play-service (11.8.0)? But stack trace is little bit different: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:com.google.android.gms@15090021@15.0.90 (040408-231259764):43) at com.android.okhttp.Connection.connectTls(Connection.java:235) – Jakub Brecher Mar 28 '19 at 12:08