Apache server, followed the guide from here: https://www.startssl.com/Support?v=21
httpd.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile "/usr/local/apache2/conf/domain.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/private.key"
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"
Works fine in Chrome but Firefox yields the following error:
Error code: SEC_ERROR_UNKNOWN_ISSUER
Analysis at https://www.sslshopper.com/ssl-checker.html says the following:
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
How can I make the chain valid?
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"
... You may need to install an Intermediate/chain certificate to link it to a trusted root certificate
The SSLCertificateChainFile option was obsoleted in Apache version 2.4.8 and any chain certificates need to be added to SSLCertificateFile instead. Since you are using 2.4.23 based on your comment this means that this setting was ignored. This means that no chain certificates were sent to the client, causing the validation error. You should have gotten a message in the error logs though pointing out the invalid setting.
I guess you can not. Mozilla was planning to distrust certificates issued by StartSSL for a period of one year starting in October 2016. Better use Let's encrypt as StartSSL (also known as StartCom is in trouble). What you see is probably that happening.
If curious you can read up more:
WoSign and StartCom issues summary document.
mozilla.dev.security.policy › Remediation Plan for WoSign and StartCom.
Related
As I read over internet I found out that there is a bug in Flutter with validating WildCard (example : *.mydomain.com) certificates and I didn't find any example or suggestions how to do that. The thing that I want to achieve are : Validating the certificate by it's name and to check if it's expired or not. Any good suggestions/examples are welcomed, because that's my first try with SSL and I'm not really familiar with it.
I am making api call using dio and and certificate is from comodo it is a wildcard ssl and it is not expired (its valid ssl) url work in ios but not in android apk
Thanks in advance!
I followed this guide on how to create my own CA and end entity certificates. My certificate authority (localhost) openssl config looks very similiar to this. According to this post I've set
[ v3_ca ]
basicConstraints = CA:TRUE
On my desktop devices there are no problems at all and https works fine.
Problems occur when I try to install the root certificate on my android device.
At first I installed the root certificate via the inbuilt 'install from storage' option (Settings / Security / Credential storage). Https works now but I always get the network may be monitored warning.
Following this article I took the certificate hash, renamed the rootca.pem file to {hashid}.0 file as suggested and moved it to /system/etc/security/cacerts/ using ADB on windows powershell (also set chmod and chown).
After rebooting my phone I can see that my authority certificate has been successfully added to android native trusted certificate storage. It's active by default.
Now I got rid of the networking monitor warning but ssl is not working anymore. Android chrome on remote debug throws:
broken https certificate missing net::ERR_UNEXPECTED (firefox on android says SEC_ERROR_UNKNOWN_ISSUER)
Is there a way to get around this/install it correctly? Did I forget something?
For those interested I'm sharing the solution:
Here's what I did to solve this:
(1) flashing my sm-g900f with odin v3.12.4-4 and latest twrp 3.3.0-0-klte
(2) backup relevant data, wipe system/cache/... with twrp afterwards
(3) flash 16.0-nightly-klte addonsu-16.0-arm open_gapps-arm-9.0-nano-20190428
(4) install certificate via security settings options. Shown as 'user cert' but no warning message and ssl works now :)
Thanks to JW09I4 from XDA-Developers for helping me out and guiding me through the process of updating my phone.
i'm facing problem when implementing ssl to my web. My web work as web services for android and ios. All goes very smooth until i implement the SSL certificates, suddenly the android (most of android except samsung) throw this error :
E/ErrorHTTP: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
then i google and landed to here :
google says about the error
support the google statement
work around for the error to accept the not valid ssl
it says that mostly happened because of :
The CA that issued the server certificate was unknown
The server certificate wasn't signed by a CA, but was self signed
The server configuration is missing an intermediate CA
Those three options already ruled out, i already check with ssl checker. Its none of those above, it's not unknown, it's not self signed, we're using comodo and the intermediates and root certificates also valid, you can check here : ssl checker for my link,
you can check it by yourself.
And now i'm stuck, the certificate is valid. The certificate also can open in samsung, but somehow fail in some other brand, for example xiao mi. I don't know where to look now, is it the :
the ssl configuration, i need to keep digging, even though it marked as valid in most validator.
make the android code more vulnerable, even some brand can access it, i mean is it because the brand or how ?.
The spec im using :
ASP .Net Core 2.0.
Kestrel.
Comodo certificates.
Native android.
Please help !, thank you.
WebAPI (built with .Net) is hosted on a server and called from iOS and Android apps using HTTPS. No changes has been made in certificates or otherwise. iOS app works fine, web app using the same api works fine but since this morning all Android apps (running on Android version 5x or less only) using the API has stared crashing with this error.
android.runtime.JavaProxyThrowable: System.AggregateException: One or more errors occurred. ---> System.Net.WebException: Error: TrustFailure (The authentication or decryption has failed.) ---> System.IO.IOException: The authentication or decryption has failed. ---> System.IO.IOException: The authentication or decryption has failed. ---> Mono.Security.Protocol.Tls.TlsException: Invalid certificate received from server.
Checked certificates, certificate chain, everything. No issues. If the certificate is invalid, no other apps should be working and why all of a sudden. Can someone point to where to look. I searched this site and found a few threads but their solutions require changes in Android app code. That can't be done (and deployed) so quickly. Why all of a sudden, if someone can throw some light on it. Even nothing has been updated in our test Android devices.
Tested the server through ssllab and handshakes come on Android simulations:
Solved and the app on those older Android versions works now. I had to disable COMODO root certificate COMODO RSA Certification Authority with SHA1 key afe5d244a8d1194230ff479fe2f897bbcd7a8cb4 in certificate manager everywhere it was. Apparently windows update added this and it was somehow conflicting and making an intermediate certificate not being sent from the server (in the second certificate chain, the first chain was ok). Normally if an intermediate certificate is not sent, clients download it from the issuer but Android mono framework apparently doesn't do that.
Thank you Adm Selec https://community.qualys.com/thread/15295 for the solution.
I'm using a package called coroinium cloud and I have recently set up ssl. Coronium cloud is a server package for apps developed with corona SDK. It uses nginx as the server for the package. There is a control panel that you connect to through your browser which loads fine and firefox says the certificate is trusted. However it does not work on the app but instead shows an error saying the certificate is not trusted (CertPathValidatorException on android). I used a tool by digicert to check the ssl configuration:
screenshot of digicert test
There were instructions by the creator of coronium cloud on how to set it up of which all I followed. I got the certificate from startssl.com and used there Nginx certificate. Does anyone know how I can fix this issue as it is holding me back from developing other features as I now can't use any part of my app till this is fixed.
Thank you in advance to anyone who can help me
You should use the certificate chain provided by your Certificate Authority, in the same time than your certificate, and follow the nxinx documentation:
https://nginx.org/en/docs/http/configuring_https_servers.html#chains
cat www.example.com.crt bundle.crt > www.example.com.chained.crt
And in your server block:
ssl_certificate www.example.com.chained.crt;