SSLException - Not trusted server certificate

[pejacoby]

Today when trying to upload from WigleWiFi 2.2 on Android 2.2.2 I am getting this error:

Fail
Exception Error: io problem: javax.net.ssl.SSLException: Not trusted server certificate
File location: /mnt/sdcard/wiglewifi/....csv

Just me? Things worked fine yesterday evening. The LetsEncrypt certificate on the web site is good through 4/30/16. Did the cert on the API upload change in some fashion?

[bobzilla]

Interesting, we moved to nginx doing the ssl termination yesterday, same cert and tls/cipher settings. Still getting normal amount of uploads. That's an android version that's pretty far back, not sure what the issue would be though.

[pejacoby]

Yep, it's an old phone.... anywhere I can look for a log with more info?

Maybe I need to load some of the LetsEncrypt chain from https://letsencrypt.org/certificates/ onto this old dog.

[larsnl]

Uploading gzipped Kismet logfiles are also generating an error since yesterday,
413 Request Entity Too Large.
Tried other browser / OS / internet connection / file not zipped, normally zipped
smallest I tried was 1,2 MB with no success.

[pejacoby]

The errorstack shows the below.

I did pull the LetsEncrypt certificates down, convert them to .CRT format, and load them on my phone. That didn't help, unfortunately, still the same error on an Upload attempt.

Code: Select all

WigleWifi error log - Feb 9, 2016 5:39:11 PM versionName: 2.2 baseError: CertPathValidatorException: TrustAnchor for CertPath not found. detail: Has data connection: true packageName: net.wigle.wigleandroid MODEL: Vortex RELEASE: 2.2.2 BOARD: thunderc BRAND: verizon DEVICE: thunderc DISPLAY: FRG83G FINGERPRINT: verizon/thunderc/thunderc/thunderc:2.2.2/FRG83G/eng.lge.20110304.165951:user/release-keys HOST: sp-android-02 ID: FRG83G PRODUCT: thunderc TAGS: release-keys TIME: 1299225644000 TYPE: user USER: lge Thread: Thread[HttpUL-Thread-319,5,main] throwable: javax.net.ssl.SSLException: Not trusted server certificate javax.net.ssl.SSLException: Not trusted server certificate at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:371) at org.apache.harmony.luni.internal.net.www.protocol.http.HttpConnection.getSecureSocket(HttpConnection.java:168) at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:399) at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:147) at net.wigle.wigleandroid.background.HttpFileUploader.createConnection(HttpFileUploader.java:101) at net.wigle.wigleandroid.background.HttpFileUploader.connect(HttpFileUploader.java:51) at net.wigle.wigleandroid.background.HttpFileUploader.upload(HttpFileUploader.java:129) at net.wigle.wigleandroid.background.FileUploaderTask.doUpload(FileUploaderTask.java:199) at net.wigle.wigleandroid.background.FileUploaderTask.doRun(FileUploaderTask.java:112) at net.wigle.wigleandroid.background.FileUploaderTask.subRun(FileUploaderTask.java:90) at net.wigle.wigleandroid.background.AbstractBackgroundTask.run(AbstractBackgroundTask.java:73) Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found. at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:168) at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:366) ... 10 more Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found. at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:149) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:202) at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:164) ... 11 more

[resu-repus]

I"m getting similiar problems uploading with my curl script - it's not processing gzip files. Attempts to upload via browsers are coming back file to large - even tho gzip file is only 5megs big (and I have uploaded much larger in the recent past).

[bobzilla]

The "413 Request Entity Too Large" was fixed via an nginx config earlier today, apologies for the problem.

For the elder 2.2.2 android version, that is missing the root cert needed by default:
"Android >= 2.3.6 ("DST Root CA X3" is included)"
https://community.letsencrypt.org/t/whi ... crypt/4394

[resu-repus]

Thanks bobzilla, and happy war roaming to you.

[pejacoby]

Thanks Bobzilla, I grabbed the DST-Root-CA-X3 from Identrust (https://www.identrust.com/certificates/ ... ad-x3.html), converted and loaded it on my Android 2.2.2 and still no joy.

So I'm looking for a new cheap phone with at least 4.4

[bobzilla]

How did you load it? Wondering if it was just the chrome trusted list, and not what the java stack references. I'm guessing we could do a release where we add that root cert to the app's trusted list. The google compatibility library goes back to android 2.3, so I'm not sure how you are even running it on 2.2.2. I'm also not sure I can find that version on any of our test devices, making it difficult to test.

Sound like you can on a rooted device by updating cacerts.bks, maybe that's what you've already tried. If so, that should have worked.
http://stackoverflow.com/questions/4461 ... oid-device

[bobzilla]

This page talks about just pulling the cacerts.bks file from a android 3.2 emulator, might be more likely to work, and useful for the device to hit a bunch of other newer roots as well.
http://www.righthandedmonkey.com/2013/0 ... urity.html

[pejacoby]

I loaded the cert thusly:

Get DST-Root-CA-X3.crt Root certificate from https://www.identrust.com/certificates/ ... ad-x3.html

Add BEGIN and END certificate lines and save to TXT file (this is a PEM certificate):
-----BEGIN CERTIFICATE-----
——END CERTIFICATE-----

Convert to binary/DER:
openssl x509 -in DST-Root-CA-X3.txt -inform pem -outform DER -out DST-Root-CA-X3.crt

Copy to phone Downloads folder

On phone, go into Settings -> Security -> Install from SD Card and install.

The phone says it installed, but given that it's a ROOT CA cert, it might not be the right way to get it in the right store.
I used similar steps to load the LetsEncrypt and isrgrootX1 certificates.

It's probably time to be done with Android 2.2.2, it's been a good run with this $29 LG.
I've got a cheap Samsung Galaxy Core with 5.1 on it coming soon!

[bobzilla]

Ah, it sounds like from these posts that the method you used will only apply to Wifi and VPN, not Android sdk apps. And Android before 4.0 there's no non-rooted user-facing way to load certs there. If the device is rooted it sounds like "all" you'd need to do is load a newer cacerts.bks file.

Download the updated cacerts.bks file from Android 3.2.
Connect your device to be updated (must be root). You may need to remount the /system folder as rw for read/write capabilities if you have failures on the push procedure.
Save a copy of the old cert file from your device:

Code: Select all

adb pull /system/etc/security/cacerts.bks cacerts.bks.old

Put the updated cert file on your device

Code: Select all

adb push cacerts.bks /system/etc/security/

Reboot the device