证书受PC信任,但不受Android信任 [英] Certificate is trusted by PC but not by Android
问题描述
从今天早上开始,我的证书不再受Android信任,因此我的应用程序无法再连接:
Since this morning, my certificate is not trusted anymore on Android and then my application cannot connect anymore:
Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)
如果我尝试在PC上使用Google Chrome浏览器,就没有问题,并且证书是受信任的,但是如果我尝试在Android上的Chrome浏览器中尝试,则表明证书不受信任.我该怎么办?
If I try in Google Chrome (on PC) there's no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn't trusted. What can I do?
推荐答案
您的证书文件中可能缺少中间证书.如果您已经访问了另一个具有相同证书销售者的网站,则中间证书将在您的浏览器中记住.对于您网站的每个访问者来说,情况可能并非如此,甚至更好.要解决SSL连接中缺少的中间证书,您需要将中间证书添加到自己的证书文件中.
You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.
GoDaddy具有有关中间证书的一些信息(但最好的来源始终是您的证书提供者): http://support.godaddy.com/help/article/868/什么是中级证书
GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider): http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate
我曾经发行过一个中间证书(也与Commodo一起发行),并且不得不将我自己的证书文件与中间CA结合使用.一旦完成,就不会再发生错误了.
I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA's to work. Once done no errors occurred anymore.
Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en
And here is a list of the most common installation guides by Commodo themselves: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files
根据所使用的Web服务器,您需要按以下顺序指定所有证书(域证书,中间证书和根证书)或将它们组合为一个证书(例如,对于Nginx):
Depending on what webserver you are using, you'll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order:
- 域证书
- 中级证书
- 根证书
在SSH终端中执行此操作的一种简单方法是键入:
An easy way of doing this in an SSH terminal is by typing:
cat domainfile intermediatefile rootfile > targetfile
证书测试工具
如果您遇到其他问题或不确定证书是否正确,请尝试使用在线工具来验证您的SSL证书.例如:networking4all.com/en/ssl+certificates/quickscan
Certificate test tool
If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: networking4all.com/en/ssl+certificates/quickscan
请注意,android 2.2(可能更旧)不支持SNI,SNI允许针对不同主机名的多个SSL证书在一个IP地址上正常工作.感谢@technyquist提供该信息.请查看有关SNI的SO问题,以获取有关此问题的更多信息.
Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNI for more information on this issue.
这篇关于证书受PC信任,但不受Android信任的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
