Page 1 of 1
SSLException - Not trusted server certificate
Posted: Mon Feb 08, 2016 11:49 pm
by pejacoby
Today when trying to upload from WigleWiFi 2.2 on Android 2.2.2 I am getting this error:
Fail
Exception Error: io problem: javax.net.ssl.SSLException: Not trusted server certificate
File location: /mnt/sdcard/wiglewifi/....csv
Just me? Things worked fine yesterday evening. The LetsEncrypt certificate on the web site is good through 4/30/16. Did the cert on the API upload change in some fashion?
Re: SSLException - Not trusted server certificate
Posted: Tue Feb 09, 2016 6:36 am
by bobzilla
Interesting, we moved to nginx doing the ssl termination yesterday, same cert and tls/cipher settings. Still getting normal amount of uploads. That's an android version that's pretty far back, not sure what the issue would be though.
Re: SSLException - Not trusted server certificate
Posted: Tue Feb 09, 2016 12:56 pm
by pejacoby
Yep, it's an old phone.... anywhere I can look for a log with more info?
Maybe I need to load some of the LetsEncrypt chain from
https://letsencrypt.org/certificates/ onto this old dog.
Re: SSLException - Not trusted server certificate
Posted: Tue Feb 09, 2016 7:46 pm
by larsnl
Uploading gzipped Kismet logfiles are also generating an error since yesterday,
413 Request Entity Too Large.
Tried other browser / OS / internet connection / file not zipped, normally zipped
smallest I tried was 1,2 MB with no success.
Re: SSLException - Not trusted server certificate
Posted: Wed Feb 10, 2016 4:12 am
by pejacoby
The errorstack shows the below.
I did pull the LetsEncrypt certificates down, convert them to .CRT format, and load them on my phone. That didn't help, unfortunately, still the same error on an Upload attempt.
Code: Select all
WigleWifi error log - Feb 9, 2016 5:39:11 PM
versionName: 2.2
baseError: CertPathValidatorException: TrustAnchor for CertPath not found.
detail: Has data connection: true
packageName: net.wigle.wigleandroid
MODEL: Vortex
RELEASE: 2.2.2
BOARD: thunderc
BRAND: verizon
DEVICE: thunderc
DISPLAY: FRG83G
FINGERPRINT: verizon/thunderc/thunderc/thunderc:2.2.2/FRG83G/eng.lge.20110304.165951:user/release-keys
HOST: sp-android-02
ID: FRG83G
PRODUCT: thunderc
TAGS: release-keys
TIME: 1299225644000
TYPE: user
USER: lge
Thread: Thread[HttpUL-Thread-319,5,main] throwable: javax.net.ssl.SSLException: Not trusted server certificate
javax.net.ssl.SSLException: Not trusted server certificate
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:371)
at org.apache.harmony.luni.internal.net.www.protocol.http.HttpConnection.getSecureSocket(HttpConnection.java:168)
at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:399)
at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:147)
at net.wigle.wigleandroid.background.HttpFileUploader.createConnection(HttpFileUploader.java:101)
at net.wigle.wigleandroid.background.HttpFileUploader.connect(HttpFileUploader.java:51)
at net.wigle.wigleandroid.background.HttpFileUploader.upload(HttpFileUploader.java:129)
at net.wigle.wigleandroid.background.FileUploaderTask.doUpload(FileUploaderTask.java:199)
at net.wigle.wigleandroid.background.FileUploaderTask.doRun(FileUploaderTask.java:112)
at net.wigle.wigleandroid.background.FileUploaderTask.subRun(FileUploaderTask.java:90)
at net.wigle.wigleandroid.background.AbstractBackgroundTask.run(AbstractBackgroundTask.java:73)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.
at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:168)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:366)
... 10 more
Caused by: java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:149)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:202)
at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:164)
... 11 more
Re: SSLException - Not trusted server certificate
Posted: Wed Feb 10, 2016 6:40 pm
by resu-repus
I"m getting similiar problems uploading with my curl script - it's not processing gzip files. Attempts to upload via browsers are coming back file to large - even tho gzip file is only 5megs big (and I have uploaded much larger in the recent past).
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 4:09 am
by bobzilla
The "413 Request Entity Too Large" was fixed via an nginx config earlier today, apologies for the problem.
For the elder 2.2.2 android version, that is missing the root cert needed by default:
"Android >= 2.3.6 ("DST Root CA X3" is included)"
https://community.letsencrypt.org/t/whi ... crypt/4394
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 11:34 am
by resu-repus
Thanks bobzilla, and happy war roaming to you.
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 3:15 pm
by pejacoby
Thanks Bobzilla, I grabbed the DST-Root-CA-X3 from Identrust (
https://www.identrust.com/certificates/ ... ad-x3.html), converted and loaded it on my Android 2.2.2 and still no joy.
So I'm looking for a new cheap phone with at least 4.4
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 5:50 pm
by bobzilla
How did you load it? Wondering if it was just the chrome trusted list, and not what the java stack references. I'm guessing we could do a release where we add that root cert to the app's trusted list. The google compatibility library goes back to android 2.3, so I'm not sure how you are even running it on 2.2.2. I'm also not sure I can find that version on any of our test devices, making it difficult to test.
Sound like you can on a rooted device by updating cacerts.bks, maybe that's what you've already tried. If so, that should have worked.
http://stackoverflow.com/questions/4461 ... oid-device
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 6:09 pm
by bobzilla
This page talks about just pulling the cacerts.bks file from a android 3.2 emulator, might be more likely to work, and useful for the device to hit a bunch of other newer roots as well.
http://www.righthandedmonkey.com/2013/0 ... urity.html
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 7:00 pm
by pejacoby
I loaded the cert thusly:
Get DST-Root-CA-X3.crt Root certificate from
https://www.identrust.com/certificates/ ... ad-x3.html
Add BEGIN and END certificate lines and save to TXT file (this is a PEM certificate):
-----BEGIN CERTIFICATE-----
——END CERTIFICATE-----
Convert to binary/DER:
openssl x509 -in DST-Root-CA-X3.txt -inform pem -outform DER -out DST-Root-CA-X3.crt
Copy to phone Downloads folder
On phone, go into Settings -> Security -> Install from SD Card and install.
The phone says it installed, but given that it's a ROOT CA cert, it might not be the right way to get it in the right store.
I used similar steps to load the LetsEncrypt and isrgrootX1 certificates.
It's probably time to be done with Android 2.2.2, it's been a good run with this $29 LG.
I've got a cheap Samsung Galaxy Core with 5.1 on it coming soon!
Re: SSLException - Not trusted server certificate
Posted: Sat Feb 13, 2016 9:55 pm
by bobzilla
Ah, it sounds like from these posts that the method you used will only apply to Wifi and VPN, not Android sdk apps. And Android before 4.0 there's no non-rooted user-facing way to load certs there. If the device is rooted it sounds like "all" you'd need to do is load a newer cacerts.bks file.
Download the updated cacerts.bks file from Android 3.2.
Connect your device to be updated (must be root). You may need to remount the /system folder as rw for read/write capabilities if you have failures on the push procedure.
Save a copy of the old cert file from your device:
Code: Select all
adb pull /system/etc/security/cacerts.bks cacerts.bks.old
Put the updated cert file on your device
Code: Select all
adb push cacerts.bks /system/etc/security/
Reboot the device