让我们在Android上进行加密使java.security.cert.CertPathValidatorException:找不到证书路径的信任锚 [英] Let's Encrypt on Android gives java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

问题描述

您好，我们设置了一个小型服务器，从Let's加密中生成了免费证书，并将Nginx配置为使用该证书(fullchain.pem和privkey.pem)

Hi have setup a small serve, generated a free certificate from Let's encrypt and configured Nginx to use that certificate (fullchain.pem and privkey.pem)

但是，当我尝试通过Android应用程序(使用OkHttp3)拨打电话时 我收到此错误

However, when I attempt to make a call from my Android app (with OkHttp3) I get this error

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

我们是否加密不受Android证书信任存储区信任的根证书?还是在设置Nginx时错过了什么? 如果仍要使用让我们加密证书"，该怎么办?

Is Let's encrypt root certificate not trusted by the Android cert trust store? Or did I miss something when setting up nginx? What is a work around for this If i still want to use Let's encrypt certificates?

推荐答案

我不确定它是否有用，但是/etc/letsencrypt/live/<your domain>/README文件显示:

I'm not sure it's useful but, the /etc/letsencrypt/live/<your domain>/README file says:

此目录包含您的密钥和证书.

This directory contains your keys and certificates.

privkey.pem:证书的私钥.

fullchain.pem:大多数服务器软件中使用的证书文件.

fullchain.pem: the certificate file used in most server software.

chain.pem:用于Nginx> = 1.3.7中的OCSP装订.

chain.pem : used for OCSP stapling in Nginx >=1.3.7.

cert.pem:将破坏许多服务器配置，因此不应使用 无需阅读更多文档(请参阅下面的链接).

cert.pem : will break many server configurations, and should not be used without reading further documentation (see link below).

我们建议不要移动这些文件.有关更多信息，请参见 Certbot用户指南，网址为 https://certbot.eff.org/docs/using. html#where-are-my-certificates .

We recommend not moving these files. For more information, see the Certbot User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

那么也许您应该使用chain.pem?

另一方面，对于甚至没有使用Nginx的用户，我从Android收到了相同的错误，因为我错误地使用了chain.pem而不是fullchain.pem. Android应用程序的一种解决方案要求您发送证书的整个链(即:fullchain.pem)，如此处所述:

On the other hand, for those not even using Nginx, I was getting the same error from Android because I mistakenly used chain.pem instead of fullchain.pem. One of the solutions for Android apps require you send the whole chain of certificates (i.e.: fullchain.pem), as explained here:

https://developer.android.com/training/articles /security-ssl.html#CommonHostnameProbs

有两种方法可以解决此问题:

There are two approaches to solve this issue:

• 配置服务器以在服务器中包括中间CA 链.大多数CA提供有关如何针对所有常见问题执行此操作的文档 网络服务器.如果您需要网站工作，这是唯一的方法 默认的Android浏览器，至少要通过Android 4.2.

• Configure the server to include the intermediate CA in the server chain. Most CAs provide documentation on how to do this for all common web servers. This is the only approach if you need the site to work with default Android browsers at least through Android 4.2.

或者，像对待其他任何未知CA一样对待中间CA，并创建一个 TrustManager直接信任它，就像前两个一样 部分.

Or, treat the intermediate CA like any other unknown CA, and create a TrustManager to trust it directly, as done in the previous two sections.

希望有帮助.

这篇关于让我们在Android上进行加密使java.security.cert.CertPathValidatorException:找不到证书路径的信任锚的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！