如何修复“未找到证书 - Chrome 应用已请求证书"?安卓/谷歌浏览器问题 [英] How can I fix the "No certificates found - The app Chrome has requested a certificate" Android / Google Chrome issue
问题描述
问题
我们的一些网站用户在使用 Android 设备和 Google Chrome 访问我们网站的安全区域时遇到问题.
看起来像这样;
我已经能够使用 Browserstack 的物理设备测试在以下设备上复制该问题;
- 三星 Galaxy S6、三星 Galaxy S5、三星 Galaxy S4(Android v5 和 v4.4)
- Nexus 6(Android v6、v5 和 v4.4)
- Moto X 第二代(Android v6 和 v5)
我的研究
我在网上阅读的所有文章、论坛和问题(并没有很多,除非我在寻找错误的东西)都指向服务器和/或 SSL 证书的设置和配置,以及问题体验是设计的.
建议修复 1
到目前为止我发现的最有用的文章是
建议修复 2
Stack 上的另一个问题(
总结
一旦服务器重新配置了加密策略并且 IIS SSL 设置已设置为忽略客户端证书,未找到证书"就会出现.错误将得到解决.
The issue
Some of our website users are encountering an issue when accessing secure areas of our website, on Android devices, in Google Chrome.
It looks like this;
I've been able to replicate the issue on the following devices using Browserstack's physical device testing;
- Samsung Galaxy S6, Samsung Galaxy S5, Samsung Galaxy S4 (Android v5 and v4.4)
- Nexus 6 (Android v6, v5 and v4.4)
- Moto X 2nd Gen (Android v6 and v5)
My research
All the articles, forums and questions that I've read online (and there aren't many, unless I'm searching for the wrong thing) point to server and / or SSL certificate setup and configuration, and that the issue being experienced is by design.
Suggested fix 1
The most useful article I've found so far is Issue 268055 "No Certificates Found" on the chromium issue tracker.
Comment 18 suggests changing SSL settings in IIS;
I can fix the issue if you have access to IIS. Basically you need to go to SSL Settings and make sure Require SSL is unchecked and that "Ignore" is selected for Client Certificates.
Comment 28 backs it up;
For the non-Googler case, this error message only occurs when you encounter a site that requests a client certificate. There's nothing that Chrome can do here - the site has requested a client certificate, and to even know if a client certificate is valid, Chrome for Android has to ask the OS. That's the prompt you're seeing - it's controlled by Android and all apps (Google or otherwise) are required to go through that flow.
This will occur with any site configured to request client certificates, so to resolve this, either don't request client certificates, or configure your Android devices to have client certificates (e.g. via a device management application or via installing a PKCS#12 file).
kamakshi: This is all "By Design" behaviour, but requires server operators to change, so I'm not sure what to do with this bug.
As does comment 43;
I don't think people on this bug would know much about configuring IIS. You'd want to talk with Microsoft about that. From searching around, "Ignore Client Certificate" seems to be the option you want.
We've done that but it doesn't seem to have made a difference.
Suggested fix 2
Another question here on Stack ("certificate trusted on pc but not in android") suggests that an intermediate certificate might be missing;
You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.
I've checked and we have a domain certificate (which isn't a wildcard certificate), an intermediate certificate and a root certificate, so I don't think that's the issue either. I've also run a site checker test on the Networking4all website, and an SSL test on the Qualys SSL website and they both path without errors or warnings.
My question
Has anyone else encountered this issue? Are there any other solutions that we can try to fix it? I'm out of ideas at this point so any advice would be hugely appreciated.
Some extra details just in case
The server the website is on is running Windows Server 2008 R2 and IIS 7.5, and our SSL certificate provider is Thawte.
Thanks in advance!
Having just resolved this exact same issue, here's what I found...
Server Specs (essentially the same as O.P)
- Windows Server 2008 r2
- IIS 7.5
- SSL Provider: GeoTrust RapidSSL
First Issue: Out of Date Cryptographic Policies
Several articles pointed out the server may have out of date cryptographic policies. A bit of research revealed everything must be configured using registry settings. See the MS Support article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll for detailed information.
Not sure if your sever is up to date? SSL Labs' Server Test is a great tool for validating your site's cryptographic policies.
Manually Edit the Registry?
The MS Support article details editing the registry keys. Aack! A bit more research and I found a great utility called IIS Crypto by Nartac Software that will update all the registry keys in a single click. FYI: a reboot is required as well.
From the Nartac Software site:
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.
Second Issue: Incorrect IIS SSL Site Settings
The root of this issue due to the default of IIS setting the SSL Settings to "Accept" Client certificates. There is no need to accept client certs, so simply set the setting as "Ignore" (from the O.P.'s suggested fix #1 image).
Note: The image shows "Require SSL" is unchecked; for this discussion, whether it is checked is not relevant. All that matters is the site can connect using https.
Wrap Up
Once the server has the cryptographic policies reconfigured and the IIS SSL Settings have been set to ignore client certs, the "No certificates found" error will be resolved.
这篇关于如何修复“未找到证书 - Chrome 应用已请求证书"?安卓/谷歌浏览器问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
