Can't connect to my server after updating a certificate
Janovlk opened this issue · 2 comments
Hello,
I use the Let's Encrypt service. My certificate was renewed today. Everything went okay, no error messages in logs, connection over https in browser works, but Grocy app says Network Error.
I use the Android 6.0.1 now.
Here is the log from application:
Network error:
javax.net.ssl.SSLHandshakeException
:
java.security.cert.CertPathValidatorException
: Trust anchor for certification path not found.
com.android.volley.NoConnectionError
:
javax.net.ssl.SSLHandshakeException
:
java.security.cert.CertPathValidatorException
: Trust anchor for certification path not found.
at
com.android.volley.toolbox.BasicNetwork.performRequest
(
BasicNetwork.java:378
)
at
com.android.volley.NetworkDispatcher.processRequest
(
NetworkDispatcher.java:62
)
at
com.android.volley.NetworkDispatcher.run
(
NetworkDispatcher.java:6
)
Caused by:
javax.net.ssl.SSLHandshakeException
:
java.security.cert.CertPathValidatorException
: Trust anchor for certification path not found.
at
org.conscrypt.SSLUtils.toSSLHandshakeException
(
SSLUtils.java:14
)
at
org.conscrypt.ConscryptEngine.convertException
(
ConscryptEngine.java:15
)
at
org.conscrypt.ConscryptEngine.readPlaintextData
(
ConscryptEngine.java:41
)
at
org.conscrypt.ConscryptEngine.unwrap
(
ConscryptEngine.java:49
)
at
org.conscrypt.ConscryptEngine.unwrap
(
ConscryptEngine.java:18
)
at
org.conscrypt.ConscryptEngine.unwrap
(
ConscryptEngine.java:2
)
at
org.conscrypt.ConscryptEngineSocket
$
SSLInputStream.processDataFromSocket
(
ConscryptEngineSocket.java:70
)
at
org.conscrypt.ConscryptEngineSocket
$
SSLInputStream.access
$100(
ConscryptEngineSocket.java:1
)
at
org.conscrypt.ConscryptEngineSocket.doHandshake
(
ConscryptEngineSocket.java:97
)
at
org.conscrypt.ConscryptEngineSocket.startHandshake
(
ConscryptEngineSocket.java:37
)
at
com.android.okhttp.internal.http.SocketConnector.connectTls
(
SocketConnector.java:103
)
at
com.android.okhttp.Connection.connect
(
Connection.java:143
)
at
com.android.okhttp.Connection.connectAndSetOwner
(
Connection.java:185
)
at
com.android.okhttp.OkHttpClient
$
1.connectAndSetOwner
(
OkHttpClient.java:128
)
at
com.android.okhttp.internal.http.HttpEngine.nextConnection
(
HttpEngine.java:342
)
at
com.android.okhttp.internal.http.HttpEngine.connect
(
HttpEngine.java:331
)
at
com.android.okhttp.internal.http.HttpEngine.sendRequest
(
HttpEngine.java:249
)
at
com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute
(
HttpURLConnectionImpl.java:437
)
at
com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse
(
HttpURLConnectionImpl.java:388
)
at
com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode
(
HttpURLConnectionImpl.java:501
)
at
com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode
(
DelegatingHttpsURLConnection.java:105
)
at
com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode
(
HttpsURLConnectionImpl.java:25
)
at
com.android.volley.toolbox.HurlStack.executeRequest
(
HurlStack.java:102
)
at
com.android.volley.toolbox.BasicNetwork.performRequest
(
BasicNetwork.java:80
)
... 2 more
Caused by:
java.security.cert.CertificateException
:
java.security.cert.CertPathValidatorException
: Trust anchor for certification path not found.
at
com.android.org.conscrypt.TrustManagerImpl.checkTrusted
(
TrustManagerImpl.java:324
)
at
com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted
(
TrustManagerImpl.java:225
)
at
java.lang.reflect.Method.invoke
(Native Method)
at
org.conscrypt.Platform.checkTrusted
(
Platform.java:33
)
at
org.conscrypt.Platform.checkServerTrusted
(
Platform.java:7
)
at
org.conscrypt.ConscryptEngine.verifyCertificateChain
(
ConscryptEngine.java:37
)
at
org.conscrypt.NativeCrypto
.ENGINE_SSL_read_direct(Native Method)
at
org.conscrypt.NativeSsl.readDirectByteBuffer
(
NativeSsl.java:17
)
at
org.conscrypt.ConscryptEngine.readPlaintextDataDirect
(
ConscryptEngine.java:7
)
at
org.conscrypt.ConscryptEngine.readPlaintextData
(
ConscryptEngine.java:22
)
... 23 more
Caused by:
java.security.cert.CertPathValidatorException
: Trust anchor for certification path not found.
... 33 more
I have no trace of connection in my log files since the error occured.
Do you have any idea?
Thank you,
Pavel
Hello all,
It's quiet here so I did some research on my own.
The Letsencrypt service now uses ISRG Root X1 as a main certificate. This is not included in certificate store of Android 7 and lower versions. These have the IdenTrust’s DST Root CA X3 certificate to which Letsencrypt issued their intermediate certificates. The DST Root CA X3 expired in 2021. So Letsencrypt provided crossigned certificates to allow older Android devices to connect to Letsencrypt signed services. Unfortunately these will expire on September 30th, 2024.
Since Thursday, Feb 8th, 2024 Letsencrypt stopped to provide the crossigned chain by default.
If someone got his certificate renewed he needs to renew certificate with a new option.
In Linux simply run this command: certbot renew --force-renewal --preferred-chain "DST Root CA X3"
This renews current (pointing to ISRG Root X1) certificate to a new one which is the old crossigned chain way.
You need to change in your Crontab the renewal command too. It should be like this: /usr/bin/certbot renew --preferred-chain "DST Root CA X3"
Now the worst news at the end.
The Letsencrypt will no longer provide any crossigned chain certificates since Thursday, June 6th, 2024. These certificates will expire on Monday, September 30th, 2024.
So older Androids are doomed after that day. The only solution is manually add to Android's certificate store the ISRG Root X1 and ISRG Root X2 certificates. Or maybe try another CA.
I hope it helps.
PP
Sorry we're currently busy with our jobs! Thank you for looking into it yourself! That sounds not that good, I hope the solution you mention works for you. But many certificate deadlines seem to be in 2024...