Zertifikat nicht vertrauenswürdig SSL-Website in Android mit benutzerdefiniertem TrustManager

Meine App stellt eine Verbindung zu meiner eigenen Website her (die ein gültiges Let's Encrypt-Zertifikat verwendet) über https, aber Android vertraut dem Zertifikat nicht. Es gibt diese Ausnahme:Zertifikat nicht vertrauenswürdig SSL-Website in Android mit benutzerdefiniertem TrustManager

07-21 13:26:56.161 9679-9679/com.abyx.loyalty W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.Connection.connectTls(Connection.java:235) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.Connection.connectSocket(Connection.java:199) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.Connection.connect(Connection.java:172) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:367) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:130) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:247) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:457) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:405) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:243) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at java.net.URL.openStream(URL.java:1058) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.abyx.loyalty.tasks.LogoTask.downloadLogo(LogoTask.java:140) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.abyx.loyalty.tasks.LogoTask.doInBackground(LogoTask.java:110) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at com.abyx.loyalty.tasks.LogoTask.doInBackground(LogoTask.java:63) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at android.os.AsyncTask$2.call(AsyncTask.java:305) 
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err:  at java.util.concurrent.FutureTask.run(FutureTask.java:237) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at java.lang.Thread.run(Thread.java:761) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357) 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  ... 21 more 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. 
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err:  ... 31 more

ich die offizielle Android Führung folgte dieser Ausgabe über die Festsetzung von meinem eigenen Zertifikat zu akzeptieren (https://developer.android.com/training/articles/security-ssl.html), aber das Problem bleibt.

Jetzt habe ich versucht, dieses Problem zu debuggen und das Zertifikat ausgedruckt, das Android von meiner Website extrahiert und das, das ich ihm übergebe, aber sie sind identisch! Wie kann es sich immer noch beschweren und dem Zertifikat nicht vertrauen?

Dies ist mein Code:

public String getJSON(String store, Context context) throws IOException, LogoNotFoundException { 
     try { 
      // Load CAs from an InputStream 
      CertificateFactory cf = CertificateFactory.getInstance("X.509"); 
      InputStream caInput = new BufferedInputStream(context.getResources().openRawResource(R.raw.abyx)); 
      Certificate ca; 
      try { 
       ca = cf.generateCertificate(caInput); 
       System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN()); 
      } finally { 
       caInput.close(); 
      } 

      // Create a KeyStore containing our trusted CAs 
      String keyStoreType = KeyStore.getDefaultType(); 
      KeyStore keyStore = KeyStore.getInstance(keyStoreType); 
      keyStore.load(null, null); 
      keyStore.setCertificateEntry("ca", ca); 

      // Create a TrustManager that trusts the CAs in our KeyStore 
      String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); 
      TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm); 
      tmf.init(keyStore); 

      // Create an SSLContext that uses our TrustManager 
      SSLContext sslContext = SSLContext.getInstance("TLS"); 
      sslContext.init(null, tmf.getTrustManagers(), null); 

      store = URLEncoder.encode(store, "UTF-8"); 
      String response; 
      URL url = new URL("https://www.abyx.be/loyalty/public/logo/" + URLEncoder.encode(store, "utf-8")); 
      HttpsURLConnection connection = (HttpsURLConnection) url.openConnection(); 
      connection.setSSLSocketFactory(sslContext.getSocketFactory()); 
      connection.connect(); 
      Certificate[] certificates = connection.getServerCertificates(); 
      for (Certificate cert: certificates) { 
       System.out.println(cert); 
      } 
      connection.setRequestMethod("GET"); 
      int statusCode = connection.getResponseCode(); 
      if (statusCode == 200) { 
       InputStream in = new BufferedInputStream(connection.getInputStream()); 
       response = IOUtils.toString(in, "UTF-8"); 
      } else if (statusCode == 404) { 
       throw new LogoNotFoundException(); 
      } else { 
       throw new IOException("Unable to connect to Loyalty API!"); 
      } 
      return response; 
     } catch (KeyStoreException | NoSuchAlgorithmException | KeyManagementException | CertificateException e) { 
      throw new IOException(e); 
     } 
    }

Dies ist die Website, die ich zu verbinden bin versucht: https://abyx.be

keine Gedanken darüber, was ich falsch gemacht haben könnte?

Das ist mein Zertifikat:

Und das ist das Zertifikat mit openssl x509 decodiert.

$ openssl x509 -in temp.pem -text -noout 
Certificate: 
    Data: 
     Version: 3 (0x2) 
     Serial Number: 
      03:63:20:83:cd:26:7a:fb:af:8b:e9:75:41:c2:ff:3e:96:2a 
    Signature Algorithm: sha256WithRSAEncryption 
     Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 
     Validity 
      Not Before: Jul 8 23:07:00 2017 GMT 
      Not After : Oct 6 23:07:00 2017 GMT 
     Subject: CN=abyx.be 
     Subject Public Key Info: 
      Public Key Algorithm: rsaEncryption 
       Public-Key: (4096 bit) 
       Modulus: 
        00:c3:09:c4:e8:80:35:54:f1:b8:71:df:00:8c:4a: 
        6d:eb:86:0c:f9:9a:13:f6:99:aa:b7:08:08:77:b1: 
        b3:fc:52:0e:11:04:de:7b:8a:bc:04:97:1c:48:01: 
        28:58:6c:61:17:bf:66:d6:db:46:fa:38:09:25:c9: 
        34:6b:2a:bd:e5:37:9e:6f:fc:9f:01:4d:37:a2:1c: 
        82:10:5e:c6:85:4c:52:cf:4c:2e:e8:39:49:dc:72: 
        c4:91:82:b6:11:be:92:db:91:67:82:8e:78:c0:c0: 
        f2:69:ca:2f:44:2c:1e:d9:87:44:e6:1b:5d:a2:a2: 
        58:17:39:9b:0a:85:fd:03:ed:88:44:20:23:98:7f: 
        a8:5d:97:fb:b0:4b:a2:4a:f0:cc:e3:50:00:ed:dc: 
        96:f6:0e:e8:07:28:2f:bd:19:96:ea:5b:ed:b7:de: 
        0a:6b:6a:df:b9:21:a2:bf:62:a2:79:95:c8:48:6d: 
        03:e7:7a:0d:01:0c:2c:2e:b8:1b:61:9c:09:a2:43: 
        fc:9f:3f:32:73:e5:47:57:2b:25:f1:6c:46:e1:d4: 
        b2:55:c8:c4:93:3a:a8:ad:6e:0f:9a:af:36:29:20: 
        c3:30:e2:5e:a6:f9:73:0a:37:a2:6b:d0:11:91:8b: 
        36:91:f1:6b:ed:2d:6f:d5:28:d7:25:6d:ae:29:82: 
        40:6e:63:10:dc:97:a5:2e:4f:59:92:29:08:d0:45: 
        30:f1:79:42:a5:4c:6f:25:7e:df:5d:70:30:48:9f: 
        42:ab:05:b4:df:0e:13:a4:d0:5a:7c:d0:50:11:79: 
        e1:a7:9c:f5:d0:ed:02:fa:b9:42:a1:62:41:64:ea: 
        c9:0c:ca:80:50:f1:aa:8e:a1:4e:4a:40:a3:2a:c1: 
        7c:4c:bb:e6:61:c5:49:87:e3:90:b3:4c:6a:6f:26: 
        01:d6:48:66:bb:f9:c9:05:41:85:df:a6:8f:f6:8b: 
        01:6e:4b:55:15:e6:c7:cc:fa:06:c6:76:73:d7:59: 
        13:57:b7:ca:a1:9f:71:9c:55:fc:a1:9f:70:59:5e: 
        2f:c8:06:a1:c0:7b:b1:65:c7:65:18:17:61:cf:ea: 
        2f:bf:8e:0c:8c:97:ae:b3:a7:2e:58:d6:ce:4e:65: 
        68:16:0f:8a:99:2f:f1:3f:27:c0:e3:d6:32:c7:67: 
        71:4e:9c:ce:d8:cc:7b:34:88:52:2b:9b:d7:5d:fd: 
        fe:84:f3:6d:8d:ae:cb:2a:82:46:67:ba:19:29:40: 
        e5:20:41:57:6e:5d:70:90:bf:c7:6c:65:c8:ad:bc: 
        58:e3:2f:df:87:ea:3c:0d:91:a1:38:e5:04:46:84: 
        31:39:bf:b4:0f:36:5b:de:b6:6a:99:b9:56:5f:47: 
        09:31:0b 
       Exponent: 65537 (0x10001) 
     X509v3 extensions: 
      X509v3 Key Usage: critical 
       Digital Signature, Key Encipherment 
      X509v3 Extended Key Usage: 
       TLS Web Server Authentication, TLS Web Client Authentication 
      X509v3 Basic Constraints: critical 
       CA:FALSE 
      X509v3 Subject Key Identifier: 
       3C:7E:64:F4:E9:52:7A:B4:F3:5F:8C:B9:B1:9F:08:D7:3A:40:69:C9 
      X509v3 Authority Key Identifier: 
       keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1 

      Authority Information Access: 
       OCSP - URI:http://ocsp.int-x3.letsencrypt.org 
       CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ 

      X509v3 Subject Alternative Name: 
       DNS:abyx.be, DNS:www.abyx.be 
      X509v3 Certificate Policies: 
       Policy: 2.23.140.1.2.1 
       Policy: 1.3.6.1.4.1.44947.1.1.1 
        CPS: http://cps.letsencrypt.org 
        User Notice: 
        Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ 

    Signature Algorithm: sha256WithRSAEncryption 
     53:04:9b:32:10:10:e0:bb:0e:14:3a:5c:00:3c:aa:6f:e1:1e: 
     b9:94:19:a6:d0:08:14:20:ec:c1:13:c8:8d:7b:91:5e:1d:78: 
     22:c9:86:fd:77:e0:8d:98:85:1a:1c:86:c0:43:4c:e8:ad:0c: 
     7e:54:c1:b5:09:40:10:05:8a:44:d0:b3:e3:64:1d:7d:fa:99: 
     64:5c:78:59:ee:ca:d7:6c:2a:d7:97:85:b2:27:7f:44:c7:11: 
     e9:b6:d0:b1:22:9a:33:51:b4:b5:28:d6:24:c4:41:c5:11:97: 
     a5:28:8a:2c:b8:2d:13:84:8d:c2:98:7b:1f:83:c7:4d:44:0f: 
     d8:b7:f3:fe:55:53:60:e3:8b:d7:b8:11:b8:46:87:27:7e:e4: 
     64:0d:ac:bd:e2:5e:d7:47:8c:b4:fe:37:48:f5:9b:0d:cf:ff: 
     65:e9:f4:0f:32:6b:c2:56:63:1e:ec:e5:f0:67:1a:ae:82:39: 
     f0:db:29:7d:8d:99:cb:a1:64:e5:e9:a6:a9:f8:ad:65:ae:90: 
     b4:b3:92:0b:31:af:0a:3b:81:1a:96:44:6c:bd:a4:95:95:c4: 
     1f:10:54:d1:89:ea:1c:42:ea:10:5c:dd:46:36:76:7e:d9:1f: 
     c7:5a:dc:ce:db:cb:6a:63:b3:29:83:3a:4e:df:5a:35:13:47: 
     fe:1f:f5:2e

Quelle

2017-07-21 Pieter Verschaffelt

Sie haben einen Fehler bei Apache-Server-Konfiguration, https://www.ssllabs.com/ssltest/analyze.html?d=www.abyx.be&s=185.182.56.117&latest sagt 'Server Zertifikatskette ist unvollständig ' – DeKaNszn

Vielen Dank! Ich habe etwas an der Serverkonfiguration geändert und es funktioniert jetzt. Etwas stimmte wirklich nicht mit der Kette. –

Posted Kommentar als Antwort, jetzt können Sie Frage als gelöst markieren – DeKaNszn

Sie haben einen Fehler bei der Apache-Server-Konfiguration, SSL Labs sagt, dass die Zertifikatskette des Servers unvollständig ist.

Serverkonfiguration müssen diese Zeilen enthalten:

SSLCertificateFile /etc/letsencrypt/live/$DOMAIN/cert.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN/privkey.pem 
SSLCertificateChainFile /etc/letsencrypt/live/$DOMAIN/chain.pem

Dritte Linie wichtig ist. Es gibt eine vollständige Zertifikatskette für die Überprüfung zum Client.

Quelle

2017-07-21 18:55:37 DeKaNszn

Diese Antwort lässt viel zu wünschen übrig. Klammer für Downvotes. Um sie zu vermeiden, sollten Sie in der Kette, die an den Client gesendet wird, wahrscheinlich angeben, was er benötigt. – jww

Zertifikat nicht vertrauenswürdig SSL-Website in Android mit benutzerdefiniertem TrustManager

Antwort

Verwandte Themen