证书信任的PC上,但不是在Android的 [英] certificate trusted on pc but not in android
问题描述
由于今天早上,我的证书不再受信任的机器人,然后我的应用程序无法连接了:
Since this morning, my certificate is not trusted anymore on android and then my application cannot connect anymore :
Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)
如果我试着在谷歌浏览器(对PC)有没有问题,该证书是可信的,但如果我尝试在chrome上的Android / Android的浏览器,它告诉我,不被信任的证书。我该怎么办?
If I try in google chrome (on pc) there's no problem and the certificate is trusted but if I try in chrome on android / android browser it tells me the certificate isn't trusted. What can I do?
推荐答案
您可能会丢失您的证书文件中间证书。如果你已经访问过其他网站有相同的证书的卖家,中间证书被记住在你的浏览器。这可能不是 - 甚至更好的 - 不会与每个游客到您的网站的情况。为了解决SSL连接缺少中间证书,则需要将中间证书添加到您自己的证书文件。
You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.
GoDaddy的对中间证书的一些信息(但最好的来源始终是您的证书提供商): 的http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate
GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider): http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate
我曾经有过这个问题的中间证书(带Commodo过),并有我自己的证书文件的中间CA的工作结合起来。一旦这样做没有出现错误了。
I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA's to work. Once done no errors occurred anymore.
每个网络服务器安装说明通过Godaddy的:的http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en
Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en
这里是Commodo自己最常用的安装指南的清单: <一href="https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files" rel="nofollow">https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files
And here is a list of the most common installation guides by Commodo themselves: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/643/0/how-do-i-make-my-own-bundle-file-from-crt-files
根据什么web服务器使用的是,你需要指定所有证书(域证书,中级和根),或者将它们组合成一个(如Nginx的)顺序为:域名+中级+根。在SSH终端这样做的一个简单的方法是通过键入:
Depending on what webserver you are using, you'll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order: domain + intermediate + root. An easy way of doing this in an SSH terminal is by typing:
cat domainfile intermediatefile rootfile > targetfile
证书测试工具
如果您遇到更多的问题或者不能确定该证书是否正确,请尝试使用在线工具来验证你的SSL证书。例如: https://www.networking4all.com/en/support/tools /网站+查看/
Certificate test tool
If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: https://www.networking4all.com/en/support/tools/site+check/
请注意机器人2.2(也可能是较旧的)不支持的SNI,其允许不同的主机名多个SSL证书而不在一个单一的IP地址问题需要解决。由于@technyquist用于提供该信息。请查看此等问题有关SNI 查找有关此问题的详细信息。
Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNI for more information on this issue.
这篇关于证书信任的PC上,但不是在Android的的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
