Trust Anchor not found for Android SSL Connection

by

Contrary to the accepted answer you do not need a custom trust manager, you need to fix your server configuration!

I hit the same problem while connecting to an Apache server with an incorrectly installed dynadot/alphassl certificate. I’m connecting using HttpsUrlConnection (Java/Android), which was throwing –

javax.net.ssl.SSLHandshakeException: 
  java.security.cert.CertPathValidatorException: 
    Trust anchor for certification path not found.

The actual problem is a server misconfiguration – test it with http://www.digicert.com/help/ or similar, and it will even tell you the solution:

“The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.”

You can also check the certificate with openssl:

openssl s_client -debug -connect www.thedomaintocheck.com:443

You’ll probably see:

Verify return code: 21 (unable to verify the first certificate)

and, earlier in the output:

depth=0 OU = Domain Control Validated, CN = www.thedomaintocheck.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, CN = www.thedomaintocheck.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, CN = www.thedomaintocheck.com
verify error:num=21:unable to verify the first certificate`

The certificate chain will only contain 1 element (your certificate):

Certificate chain
 0 s:/OU=Domain Control Validated/CN=www.thedomaintocheck.com
  i:/O=AlphaSSL/CN=AlphaSSL CA - G2

… but should reference the signing authorities in a chain back to one which is trusted by Android (Verisign, GlobalSign, etc):

Certificate chain
 0 s:/OU=Domain Control Validated/CN=www.thedomaintocheck.com
   i:/O=AlphaSSL/CN=AlphaSSL CA - G2
 1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
 2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA

Instructions (and the intermediate certificates) for configuring your server are usually provided by the authority that issued your certificate, for example: http://www.alphassl.com/support/install-root-certificate.html

After installing the intermediate certificates provided by my certificate issuer I now have no errors when connecting using HttpsUrlConnection.

More Related Contents:

  1. Self-signed SSL acceptance on Android
  2. How can I set SignalR in Android Studio to ignore SSL issues for delvelopement
  3. accepting HTTPS connections with self-signed certificates
  4. Javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: Failure in SSL library, usually a protocol error
  5. How to install trusted CA certificate on Android device?
  6. How to enable TLS 1.2 support in an Android application (running on Android 4.1 JB)
  7. SSLHandshakeException: Handshake failed on Android N/7.0
  8. javax.net.ssl.SSLException: Read error: ssl=0x9524b800: I/O error during system call, Connection reset by peer
  9. Some androids apps won’t connect through fiddler
  10. Trusting all certificates with okHttp
  11. Safely fixing: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
  12. Android SSL – SNI support
  13. Custom SSL handling stopped working on Android 2.2 FroYo
  14. Apache HttpClient on Android producing CertPathValidatorException (IssuerName != SubjectName)
  15. Does Android Volley support SSL?
  16. Glide – javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
  17. Android volley self signed HTTPS trust anchor for certification path not found
  18. CertPathValidatorException : Trust anchor for certificate path not found – Retrofit Android
  19. How to get charles proxy work with Android 7 nougat?
  20. ‘No peer certificate’ error in Android 2.3 but NOT in 4
  21. CLEARTEXT communication not supported on Retrofit
  22. Google Play security alert for insecure TrustManager
  23. How Can I Access an SSL Connection Through Android?
  24. Reusing SSL Sessions in Android with HttpClient
  25. Xamarin Android issue connecting via HTTPS to site with self-signed certificate: “Trust anchor for certification path not found.”
  26. javax.net.ssl.sslpeerunverifiedexception no peer certificate
  27. Error “Could not load SSL library” on Android with TidHTTP
  28. How can I implement SSL Certificate Pinning while using React Native
  29. How can I make Android Volley perform HTTPS request, using a certificate self-signed by an Unknown CA?
  30. android Google Play Warning: SSL Error Handler Vulnerability

Leave a Comment