Android WebView“找不到证书路径的信任锚"用于LetsEncrypt证书 [英] Android WebView "Trust anchor for certification path not found" for LetsEncrypt cert

问题描述

我有一个通过node.js的SSL进行服务的网站.当我使用网络浏览器(在台式机，和 Android上)访问网站时.一切都很好-当我检查证书有效且一切正常时，会出现一个锁，指示该站点是安全的.那应该意味着服务器设置正确，对吧?

I have a web site being served over SSL from node.js. When I visit the site with a web browser (both on the Desktop, and Android). everything is fine - the lock appears indicating that the site is secure, when I inspect the certificates is valid and everything looks ok. That should mean the server is set up correctly, right?

但是，当我尝试将Android WebView用于完全相同的网站时，该页面无法加载-我什至在日志中都没有看到对该网页的请求.安德鲁，放松了对logcat的过滤器后，我注意到了以下消息:

However, when I try to use an Android WebView for the exact same site, the page fails to load - I don't even see a request for the web page in my logs. Andr, after relaxing the filter on logcat, I noticed this message:

I/X509Util: Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

在进行一些研究时，一个建议是这是服务器上的配置错误-证书的某些部分未正确安装.我使用SSL分析工具测试了网站，发现了这一点:

In researching this a bit, one suggestion was that this is a configuration error on the server - that some part of the certificate isn't installed correctly. I tested the site with an SSL analysis tool and discovered this:

不信任TLS证书

TLS Certificate is not trusted

证书不是由受信任的机构签名的(请检查Mozilla的根存储).如果您是从受信任的权威机构购买的证书，则可能只需要安装一个或多个中间证书.

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates.

该证书来自LetsEncrypt，默认情况下，该文件将四个文件放入站点目录中:privkey.pem，cert.pem，chain.pem和fullchain.pem.我在node.js中使用以下代码来加载所有内容:

The certificate is from LetsEncrypt which by default puts four files in the directory for the site: privkey.pem, cert.pem, chain.pem, and fullchain.pem. I am using the following code in node.js to load everything:

tls.createSecureContext({
        key: fs.readFileSync(dir+"/privkey.pem", "utf8"),
        cert: fs.readFileSync(dir+"/cert.pem", "utf8")//,
        ca: fs.readFileSync(dir+"/chain.pem","utf8")
    })

通过阅读createSecureContext 函数上的文档，我认为相应的PEM文件由LetsEncrypt生成的是正确的.具体来说，据我了解，指向chain.pem文件的 ca 参数是允许显示中间CA的原因，而Android

From reading the documentation on the createSecureContext function, I think the corresponding PEM files generated by LetsEncrypt are correct. Specifically, it is my understanding that the ca parmameter pointing to the chain.pem file is what allows the intermediate CAs to be presented, which Android requires. However, just for good measure I also tried omitting the ca option (this should cause it to default the Mozilla's default chain), and changing ca to point to "fullchain.pem", neither of which made a difference.

我在这里做什么错了?

推荐答案

在尝试了其他一些东西之后，我发现这可行:

After experimenting with a few other things, I discovered that this works:

tls.createSecureContext({
    key: fs.readFileSync(dir+"/privkey.pem", "utf8"),
    cert: fs.readFileSync(dir+"/fullchain.pem", "utf8")
})

我从此答案中获得了一个想法，尽管它不是指LetsEncrypt使用的命名约定，所以我不得不适应一下.

I got the idea from this answer although it is not referring to the naming convention used by LetsEncrypt so I had to adapt it a bit.

这篇关于Android WebView“找不到证书路径的信任锚"用于LetsEncrypt证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！