java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. Android 2.3

Tags: , , , ,



In my server (production server), I have a goDaddy ssl certificate. I have both iOS and Android apps connecting with the server, iOS connecting with no problems, android with versions 4.* everything is good, but with devices with 2.3.* I always get a SSLHandshakeException.

I did exactly like on Android Developers page (https://developer.android.com/training/articles/security-ssl.html).

I already saw similar threads here in Stack Overflow (here) but none is helping.

Then I saw this thread talking about Extended Key Usage, but when debugging I get the following information:

[2]: OID: 2.5.29.37, Critical: false
Extended Key Usage: [ "1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2" ]

So I guess the certificate is not “forcing” Extended Key Usage.

Also on this thread there are some other possible causes such as date/time being completely wrong, which are all not existent.

Taking that into consideration, I now don’t know where the problem might be.

Any suggestions?

EDIT: StackTrace below:

08-04 16:54:30.139: W/System.err(4832): Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
08-04 16:54:30.149: W/System.err(4832):     at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:161)
08-04 16:54:30.149: W/System.err(4832):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:664)
08-04 16:54:30.149: W/System.err(4832):     at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
08-04 16:54:30.159: W/System.err(4832):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:474)

Answer

It looks like the issuer of your certificate is not in the trust store of the 2.3 devices.

Take a look at the root and intermediate ca’s of your GoDaddy certificate and check whether the certificates are present on your 2.3 device.

See http://www.andreabaccega.com/blog/2010/09/23/android-root-certification-authorities-list/ for obtaining a list of 2.3 certificates.

When only the root CA is available make sure that your webserver also serves the intermediate certificates upon request.



Source: stackoverflow