私のアプリはhttps経由で自分のWebサイト(有効なLet's Encryption証明書を使用)に接続しますが、Androidは証明書を信頼していません。この例外が発生します。
07-21 13:26:56.161 9679-9679/com.abyx.loyalty W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connectTls(Connection.java:235)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connectSocket(Connection.java:199)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connect(Connection.java:172)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:367)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:130)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:247)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:457)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:405)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:243)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at java.net.URL.openStream(URL.java:1058)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.abyx.loyalty.tasks.LogoTask.downloadLogo(LogoTask.java:140)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.abyx.loyalty.tasks.LogoTask.doInBackground(LogoTask.java:110)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.abyx.loyalty.tasks.LogoTask.doInBackground(LogoTask.java:63)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at android.os.AsyncTask$2.call(AsyncTask.java:305)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at java.util.concurrent.FutureTask.run(FutureTask.java:237)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at java.lang.Thread.run(Thread.java:761)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: ... 21 more
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: ... 31 more
自分の証明書(https://developer.android.com/training/articles/security-ssl.html)を受け入れてこの問題を修正するための公式Androidガイドに従いましたが、問題は解決していません。
今、私はこの問題をデバッグして、Androidが私のウェブサイトから抽出した証明書と私がそれに渡す証明書を印刷しようとしましたが、それらは同じです!それでも不平を言い、証明書を信頼できないのはどうしてですか?
これは私のコードです:
public String getJSON(String store, Context context) throws IOException, LogoNotFoundException {
try {
// Load CAs from an InputStream
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(context.getResources().openRawResource(R.raw.abyx));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
store = URLEncoder.encode(store, "UTF-8");
String response;
URL url = new URL("https://www.abyx.be/loyalty/public/logo/" + URLEncoder.encode(store, "utf-8"));
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());
connection.connect();
Certificate[] certificates = connection.getServerCertificates();
for (Certificate cert: certificates) {
System.out.println(cert);
}
connection.setRequestMethod("GET");
int statusCode = connection.getResponseCode();
if (statusCode == 200) {
InputStream in = new BufferedInputStream(connection.getInputStream());
response = IOUtils.toString(in, "UTF-8");
} else if (statusCode == 404) {
throw new LogoNotFoundException();
} else {
throw new IOException("Unable to connect to Loyalty API!");
}
return response;
} catch (KeyStoreException | NoSuchAlgorithmException | KeyManagementException | CertificateException e) {
throw new IOException(e);
}
}
これは私が接続しようとしているウェブサイトです:https://abyx.be
私が間違ったことをしたかもしれないことについて何か考えはありますか?
これは私の証明書です:
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgISA2Mgg80mevuvi+l1QcL/PpYqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA3MDgyMzA3MDBaFw0x
NzEwMDYyMzA3MDBaMBIxEDAOBgNVBAMTB2FieXguYmUwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDDCcTogDVU8bhx3wCMSm3rhgz5mhP2maq3CAh3sbP8
Ug4RBN57irwElxxIAShYbGEXv2bW20b6OAklyTRrKr3lN55v/J8BTTeiHIIQXsaF
TFLPTC7oOUnccsSRgrYRvpLbkWeCjnjAwPJpyi9ELB7Zh0TmG12iolgXOZsKhf0D
7YhEICOYf6hdl/uwS6JK8MzjUADt3Jb2DugHKC+9GZbqW+233gprat+5IaK/YqJ5
lchIbQPneg0BDCwuuBthnAmiQ/yfPzJz5UdXKyXxbEbh1LJVyMSTOqitbg+arzYp
IMMw4l6m+XMKN6Jr0BGRizaR8WvtLW/VKNclba4pgkBuYxDcl6UuT1mSKQjQRTDx
eUKlTG8lft9dcDBIn0KrBbTfDhOk0Fp80FAReeGnnPXQ7QL6uUKhYkFk6skMyoBQ
8aqOoU5KQKMqwXxMu+ZhxUmH45CzTGpvJgHWSGa7+ckFQYXfpo/2iwFuS1UV5sfM
+gbGdnPXWRNXt8qhn3GcVfyhn3BZXi/IBqHAe7Flx2UYF2HP6i+/jgyMl66zpy5Y
1s5OZWgWD4qZL/E/J8Dj1jLHZ3FOnM7YzHs0iFIrm9dd/f6E822NrssqgkZnuhkp
QOUgQVduXXCQv8dsZcitvFjjL9+H6jwNkaE45QRGhDE5v7QPNlvetmqZuVZfRwkx
CwIDAQABo4ICFDCCAhAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ8fmT06VJ6tPNf
jLmxnwjXOkBpyTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMB8GA1UdEQQYMBaCB2FieXguYmWCC3d3dy5hYnl4LmJlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAFMEmzIQEOC7DhQ6XAA8
qm/hHrmUGabQCBQg7METyI17kV4deCLJhv134I2YhRochsBDTOitDH5UwbUJQBAF
ikTQs+NkHX36mWRceFnuytdsKteXhbInf0THEem20LEimjNRtLUo1iTEQcURl6Uo
iiy4LROEjcKYex+Dx01ED9i38/5VU2Dji9e4EbhGhyd+5GQNrL3iXtdHjLT+N0j1
mw3P/2Xp9A8ya8JWYx7s5fBnGq6COfDbKX2NmcuhZOXppqn4rWWukLSzkgsxrwo7
gRqWRGy9pJWVxB8QVNGJ6hxC6hBc3UY2dn7ZH8da3M7by2pjsymDOk7fWjUTR/4f
9S4=
-----END CERTIFICATE-----
そして、これはを使用してデコードされた証明書openssl x509です。
$ openssl x509 -in temp.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:63:20:83:cd:26:7a:fb:af:8b:e9:75:41:c2:ff:3e:96:2a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jul 8 23:07:00 2017 GMT
Not After : Oct 6 23:07:00 2017 GMT
Subject: CN=abyx.be
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c3:09:c4:e8:80:35:54:f1:b8:71:df:00:8c:4a:
6d:eb:86:0c:f9:9a:13:f6:99:aa:b7:08:08:77:b1:
b3:fc:52:0e:11:04:de:7b:8a:bc:04:97:1c:48:01:
28:58:6c:61:17:bf:66:d6:db:46:fa:38:09:25:c9:
34:6b:2a:bd:e5:37:9e:6f:fc:9f:01:4d:37:a2:1c:
82:10:5e:c6:85:4c:52:cf:4c:2e:e8:39:49:dc:72:
c4:91:82:b6:11:be:92:db:91:67:82:8e:78:c0:c0:
f2:69:ca:2f:44:2c:1e:d9:87:44:e6:1b:5d:a2:a2:
58:17:39:9b:0a:85:fd:03:ed:88:44:20:23:98:7f:
a8:5d:97:fb:b0:4b:a2:4a:f0:cc:e3:50:00:ed:dc:
96:f6:0e:e8:07:28:2f:bd:19:96:ea:5b:ed:b7:de:
0a:6b:6a:df:b9:21:a2:bf:62:a2:79:95:c8:48:6d:
03:e7:7a:0d:01:0c:2c:2e:b8:1b:61:9c:09:a2:43:
fc:9f:3f:32:73:e5:47:57:2b:25:f1:6c:46:e1:d4:
b2:55:c8:c4:93:3a:a8:ad:6e:0f:9a:af:36:29:20:
c3:30:e2:5e:a6:f9:73:0a:37:a2:6b:d0:11:91:8b:
36:91:f1:6b:ed:2d:6f:d5:28:d7:25:6d:ae:29:82:
40:6e:63:10:dc:97:a5:2e:4f:59:92:29:08:d0:45:
30:f1:79:42:a5:4c:6f:25:7e:df:5d:70:30:48:9f:
42:ab:05:b4:df:0e:13:a4:d0:5a:7c:d0:50:11:79:
e1:a7:9c:f5:d0:ed:02:fa:b9:42:a1:62:41:64:ea:
c9:0c:ca:80:50:f1:aa:8e:a1:4e:4a:40:a3:2a:c1:
7c:4c:bb:e6:61:c5:49:87:e3:90:b3:4c:6a:6f:26:
01:d6:48:66:bb:f9:c9:05:41:85:df:a6:8f:f6:8b:
01:6e:4b:55:15:e6:c7:cc:fa:06:c6:76:73:d7:59:
13:57:b7:ca:a1:9f:71:9c:55:fc:a1:9f:70:59:5e:
2f:c8:06:a1:c0:7b:b1:65:c7:65:18:17:61:cf:ea:
2f:bf:8e:0c:8c:97:ae:b3:a7:2e:58:d6:ce:4e:65:
68:16:0f:8a:99:2f:f1:3f:27:c0:e3:d6:32:c7:67:
71:4e:9c:ce:d8:cc:7b:34:88:52:2b:9b:d7:5d:fd:
fe:84:f3:6d:8d:ae:cb:2a:82:46:67:ba:19:29:40:
e5:20:41:57:6e:5d:70:90:bf:c7:6c:65:c8:ad:bc:
58:e3:2f:df:87:ea:3c:0d:91:a1:38:e5:04:46:84:
31:39:bf:b4:0f:36:5b:de:b6:6a:99:b9:56:5f:47:
09:31:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
3C:7E:64:F4:E9:52:7A:B4:F3:5F:8C:B9:B1:9F:08:D7:3A:40:69:C9
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:abyx.be, DNS:www.abyx.be
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
53:04:9b:32:10:10:e0:bb:0e:14:3a:5c:00:3c:aa:6f:e1:1e:
b9:94:19:a6:d0:08:14:20:ec:c1:13:c8:8d:7b:91:5e:1d:78:
22:c9:86:fd:77:e0:8d:98:85:1a:1c:86:c0:43:4c:e8:ad:0c:
7e:54:c1:b5:09:40:10:05:8a:44:d0:b3:e3:64:1d:7d:fa:99:
64:5c:78:59:ee:ca:d7:6c:2a:d7:97:85:b2:27:7f:44:c7:11:
e9:b6:d0:b1:22:9a:33:51:b4:b5:28:d6:24:c4:41:c5:11:97:
a5:28:8a:2c:b8:2d:13:84:8d:c2:98:7b:1f:83:c7:4d:44:0f:
d8:b7:f3:fe:55:53:60:e3:8b:d7:b8:11:b8:46:87:27:7e:e4:
64:0d:ac:bd:e2:5e:d7:47:8c:b4:fe:37:48:f5:9b:0d:cf:ff:
65:e9:f4:0f:32:6b:c2:56:63:1e:ec:e5:f0:67:1a:ae:82:39:
f0:db:29:7d:8d:99:cb:a1:64:e5:e9:a6:a9:f8:ad:65:ae:90:
b4:b3:92:0b:31:af:0a:3b:81:1a:96:44:6c:bd:a4:95:95:c4:
1f:10:54:d1:89:ea:1c:42:ea:10:5c:dd:46:36:76:7e:d9:1f:
c7:5a:dc:ce:db:cb:6a:63:b3:29:83:3a:4e:df:5a:35:13:47:
fe:1f:f5:2e
Apacheサーバーの構成でエラーが発生しました。SSLLabsによると、サーバーの証明書チェーンが不完全です。
サーバー構成には、次の行が含まれている必要があります。
SSLCertificateFile /etc/letsencrypt/live/$DOMAIN/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$DOMAIN/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/$DOMAIN/chain.pem
3行目は重要です。クライアントにチェックするための完全な証明書チェーンを提供します。
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加