证书受 PC 信任，但不受 Android 信任 [英] Certificate is trusted by PC but not by Android

问题描述

从今天早上开始，我的证书在 Android 上不再受信任，然后我的应用程序无法再连接:

Since this morning, my certificate is not trusted anymore on Android and then my application cannot connect anymore:

 Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
 javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)

如果我在 Google Chrome(PC 上)中尝试没有问题，并且证书是受信任的，但如果我在 Android 上的 Chrome 浏览器中尝试，它会告诉我证书不受信任.我能做什么?

If I try in Google Chrome (on PC) there's no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn't trusted. What can I do?

推荐答案

您的证书文件中可能缺少中间证书.如果您已经访问过具有相同证书卖家的另一个网站，则中间证书会被记住在您的浏览器中.对于您网站的每个访问者来说，这可能不会 - 甚至更好 - 不会是这种情况.要解决 SSL 连接中缺少中间证书的问题，您需要将中间证书添加到您自己的证书文件中.

You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

GoDaddy 有一些关于中间证书的信息(但最好的来源始终是您的证书提供者):http://support.godaddy.com/help/article/868/什么是中间证书

GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider): http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate

我曾经遇到过这个中间证书问题(Commodo 也有)，我不得不将我自己的证书文件与中间 CA 结合起来才能工作.完成后，不再发生错误.

I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA's to work. Once done no errors occurred anymore.

Godaddy 每个网络服务器的安装说明:http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

以下是 Commodo 自己最常用的安装指南列表:https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

And here is a list of the most common installation guides by Commodo themselves: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

根据您使用的网络服务器，您需要指定所有证书(域证书、中间证书和根证书)或按顺序将它们组合成一个(例如对于 Nginx):

Depending on what webserver you are using, you'll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order:

1. 域证书
2. 中级证书
3. 根证书

在 SSH 终端中执行此操作的一种简单方法是键入:

An easy way of doing this in an SSH terminal is by typing:

cat domainfile intermediatefile rootfile > targetfile

<小时>

证书测试工具

如果您遇到更多问题或不确定证书是否正确，请尝试使用在线工具来验证您的 SSL 证书.例如:networking4all.com/en/ssl+certificates/quickscan

---

Certificate test tool

If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: networking4all.com/en/ssl+certificates/quickscan

请注意 android 2.2(可能更早)不支持 SNI，它允许不同主机名的多个 SSL 证书在一个 IP 地址上正常工作而不会出现问题.感谢@technyquist 提供该信息.请查看 这个关于 SNI 的 SO 问题，了解有关此问题的更多信息.

Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNI for more information on this issue.

这篇关于证书受 PC 信任，但不受 Android 信任的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！