Android Question (Solved) Trust anchor for certification path not found

[Alex_197]

Hi, I have this error Trust anchor for certification path not found when I'm using HTTPJob

ResponseError. Reason: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found., Response:

I just installed a new SSL certificate on my website and this error has started.

This is my code

Try
        Dim Params As String
        Dim response As String=""
        Dim jobClients As HttpJob
        

        
        Params="Ticket=" & Main.Ticket &  "&RegKey=" & Main.RegKey & "&whattodo=checkversion"
        
        jobClients.Initialize("", Me)
        
        jobClients.PostString(modFun.Url,Params)
                
        Wait For(jobClients)    JobDone(j As HttpJob)
        
        If J.Success=False Then
            
            ProgressDialogHide
            
            MsgboxAsync(modFun.NoConnection(Main.SQL1),"HCMS")
            

            Main.TestRet=True
            
            
        Else
            
            response =J.GetString
            str_response=response   
            Main.TestRet=ApplyResponse(response)
            
            If IsError=True Then
                MsgboxAsync(MsgStr,"HCMS")
                Wait For msgbox_result(MsgRes As Int)
            End If
            
            Log("CheckVersionOnServer " & Main.TestRet)
            
            
            
        End If
        
        J.release
        
        CallSubDelayed(Me,"CheckVersionOnServe_Complete")
    
    Catch
        Log("CheckVersionOnServe " & LastException.Message)
        modFun.ShowError("clsCheckVersion_CheckVersionOnServe " & LastException.Message)
        
    End Try
End Sub

 

[drgottjr]

you've got 3 issues here:
1) you configured your cert incorrectly
2) your cert is not recognized by google
3) your code is incorrect

if you would simply like to be able to access your
server while you sort out any issues relative to your
certificate, please refer to the attached.

this issue has been raised many times before. they all appear right beneath your post.

 

[Alex_197]

you've got 3 issues here:
1) you configured your cert incorrectly
2) your cert is not recognized by google
3) your code is incorrect

if you would simply like to be able to access your
server while you sort out any issues relative to your
certificate, please refer to the attached.

this issue has been raised many times before. they all appear right beneath your post.
View attachment 142880

Thank you for your quick reply.

 

[Alex_197]

you've got 3 issues here:
1) you configured your cert incorrectly
2) your cert is not recognized by google
3) your code is incorrect

if you would simply like to be able to access your
server while you sort out any issues relative to your
certificate, please refer to the attached.

this issue has been raised many times before. they all appear right beneath your post.
View attachment 142880

With Android I solved my problem by adding HU2_ACCEPTALL into Ctrl+B.
Can you tell me please what is wrong with the certificate? The website is working fine with this certificate.

Also I'm using the same code with my iOS app and I have this error ResponseError: An SSL error has occurred and a secure connection to the server cannot be made., status code: 0

Just in case - I have in my iOS Main this line #ATSEnabled: True

 

[drgottjr]

HU2_ACCEPTALL is not a solution (assuming you actually want to solve the problem).
it's a workaround, and it's usually the one suggested in cases where the user does not
control the server. where the user does control the server, the normal thing would be
to fix the problem and not ignore it with the workaround (no insult intended).

you say the website is working with the certificate. it's unclear what you mean by that.
clearly, if you cannot connect either via android or ios, something is not working. the
certificate doesn't really have anything to do with whether the website is working. it's
probably working fine, but you cannot access it. a browser or web client won't connect.
that's a different problem.

what is the server's url? have you tried connecting with chrome on your device? what
about a webview with webviewextras (and a chromeclient so you have access to the console)?
how about chrome or safari on a desktop? how about postman? any nugget output by
these tools can be of help.

the developer's tab in desktop chrome, at least, will let you examine the certificate.
that might tell you something. although desktop browsers are not the same as an http client,
which is what okhttp is.

if you tell us the url, it might be possible to learn a little more. there is a kind of chain of
authentication involved with ssl. in your case, it looks like the validator doesn't know where
your chain starts. it's easy to miss a step when setting up a certificate. certificate providers
often have a test suite to help you validate your certificate. you know, for a very, very small
annual donation, let's encrypt renews and vets my certificate periodically.

 

[Alex_197]

HU2_ACCEPTALL is not a solution (assuming you actually want to solve the problem).
it's a workaround, and it's usually the one suggested in cases where the user does not
control the server. where the user does control the server, the normal thing would be
to fix the problem and not ignore it with the workaround (no insult intended).

you say the website is working with the certificate. it's unclear what you mean by that.
clearly, if you cannot connect either via android or ios, something is not working. the
certificate doesn't really have anything to do with whether the website is working. it's
probably working fine, but you cannot access it. a browser or web client won't connect.
that's a different problem.

what is the server's url? have you tried connecting with chrome on your device? what
about a webview with webviewextras (and a chromeclient so you have access to the console)?
how about chrome or safari on a desktop? how about postman? any nugget output by
these tools can be of help.

the developer's tab in desktop chrome, at least, will let you examine the certificate.
that might tell you something. although desktop browsers are not the same as an http client,
which is what okhttp is.

if you tell us the url, it might be possible to learn a little more. there is a kind of chain of
authentication involved with ssl. in your case, it looks like the validator doesn't know where
your chain starts. it's easy to miss a step when setting up a certificate. certificate providers
often have a test suite to help you validate your certificate. you know, for a very, very small
annual donation, let's encrypt renews and vets my certificate periodically.

Thank you for your quick reply

The website url is https://portal.hcmsemr.com and the page I need to open from my app is https://portal.hcmsemr.com/frmapi.aspx

You're right, I can open the website from my desktop chrome or edge but not from safari and not from chrome on my Android.

It's seems that I need to get a correct SSL and reinstall it.

 

[drgottjr]

digicert has a new certificate hierarchy "G5", issued in march.
i'm seeing "unstrusted source" when i try to access your website
with one of my tools. so that's a little different from what you see.

while major browsers like chrome, etc can apparently handle the new
structure (they really have to be at the cutting edge of an everchanging
environment), http clients (like okhttp, are basically just software that
simplifies opening a socket to a web server and carrying out http operations
not involving html rendering) are left to their own devices to sort out
problems such as ssl cert issues.

your certificate is valid, but you need to configure android
(and, presumably, ios) to accept digicert's new system. the
workaround, as previously discussed, involves ignoring the
ssl handshake, which can be a risky proposition.

i think we have seen this problem before. it would involve
creating a security file which tells your device to recognize
your new type of certificate as valid. it might also be something
which could be done on the fly. offhand, i don't have a fix, but
i'm looking through past posts to see what has been done with
an untrusted source. whatever may have been done may still
apply in this particular case.

since your cert is valid, you may as well stay with the workaround
since we're talking about your site and a dedicated app.


by the way, here is what i was talking about earlier:
http://www.digicert.com/help/
but since your cert seems to be valid, it's not clear that it will help much. the problem is on the client side, not the server side.

 

[Alex_197]

digicert has a new certificate hierarchy "G5", issued in march.
i'm seeing "unstrusted source" when i try to access your website
with one of my tools. so that's a little different from what you see.

while major browsers like chrome, etc can apparently handle the new
structure (they really have to be at the cutting edge of an everchanging
environment), http clients (like okhttp, are basically just software that
simplifies opening a socket to a web server and carrying out http operations
not involving html rendering) are left to their own devices to sort out
problems such as ssl cert issues.

your certificate is valid, but you need to configure android
(and, presumably, ios) to accept digicert's new system. the
workaround, as previously discussed, involves ignoring the
ssl handshake, which can be a risky proposition.

i think we have seen this problem before. it would involve
creating a security file which tells your device to recognize
your new type of certificate as valid. it might also be something
which could be done on the fly. offhand, i don't have a fix, but
i'm looking through past posts to see what has been done with
an untrusted source. whatever may have been done may still
apply in this particular case.

since your cert is valid, you may as well stay with the workaround
since we're talking about your site and a dedicated app.

Thank you for your reply.

It looks that we made a mistake when we submitted a csr file to the SSL store. They have a dropdown list where we need to select a type of a intermediate chain. So we selected the wrong item. It should be DigiTrust RSA CA 2018. At list this what was selected a year ago. And mobile devices and the website worked fine.

The SSL needs to be replaced with the correct one.

 

[Alex_197]

Guys, thank you for your help.
The problem was in the wrong type of the SSL on the IIS.

Problem fixed.