证书受 PC 信任,但不受 Android 信任

Certificate is trusted by PC but not by Android(证书受 PC 信任,但不受 Android 信任)
本文介绍了证书受 PC 信任,但不受 Android 信任的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

从今天早上开始,我的证书在 Android 上不再受信任,然后我的应用程序无法再连接:

Since this morning, my certificate is not trusted anymore on Android and then my application cannot connect anymore:

 Catch exception while startHandshake: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 return an invalid session with invalid cipher suite of SSL_NULL_WITH_NULL_NULL
 javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
    at org.apache.harmony.xnet.provider.jsse.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:137)
    at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
    at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:591)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:807)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:781)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:770)

如果我在 Google Chrome(PC 上)中尝试没有问题,并且证书是受信任的,但如果我在 Android 上的 Chrome 浏览器中尝试,它会告诉我证书不受信任.我能做什么?

If I try in Google Chrome (on PC) there's no problem and the certificate is trusted but if I try in Chrome browser on Android it tells me the certificate isn't trusted. What can I do?

推荐答案

您的证书文件中可能缺少中间证书.如果您已经访问过具有相同证书卖家的另一个网站,则中间证书会被记住在您的浏览器中.对于您网站的每个访问者来说,这可能不会 - 甚至更好 - 不会是这种情况.要解决 SSL 连接中缺少中间证书的问题,您需要将中间证书添加到您自己的证书文件中.

You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

GoDaddy 有一些关于中间证书的信息(但最好的来源始终是您的证书提供者):http://support.godaddy.com/help/article/868/什么是中间证书

GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider): http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate

我曾经遇到过这个中间证书问题(Commodo 也有),我不得不将我自己的证书文件与中间 CA 结合起来才能工作.完成后,不再发生错误.

I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA's to work. Once done no errors occurred anymore.

Godaddy 每个网络服务器的安装说明:http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

以下是 Commodo 自己最常用的安装指南列表:https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

And here is a list of the most common installation guides by Commodo themselves: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

根据您使用的网络服务器,您需要指定所有证书(域证书、中间证书和根证书)或按顺序将它们组合成一个(例如对于 Nginx):

Depending on what webserver you are using, you'll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order:

  1. 域证书
  2. 中级证书
  3. 根证书

在 SSH 终端中执行此操作的一种简单方法是键入:

An easy way of doing this in an SSH terminal is by typing:

cat domainfile intermediatefile rootfile > targetfile

<小时>

证书测试工具

如果您遇到更多问题或不确定证书是否正确,请尝试使用在线工具来验证您的 SSL 证书.例如:networking4all.com/en/ssl+certificates/quickscan


Certificatetesttool

If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: networking4all.com/en/ssl+certificates/quickscan

请注意 android 2.2(可能更早)不支持 SNI,它允许不同主机名的多个 SSL 证书在一个 IP 地址上正常工作而不会出现问题.感谢@technyquist 提供该信息.请查看 这个关于 SNI 的 SO 问题,了解有关此问题的更多信息.

Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNI for more information on this issue.

这篇关于证书受 PC 信任,但不受 Android 信任的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持编程学习网!

本站部分内容来源互联网,如果有图片或者内容侵犯您的权益请联系我们删除!

相关文档推荐

How to target newer versions in .gitlab-ci.yml using auto devops (java 11 instead of 8 and Android 31 instead of 29)(如何在.gitlab-ci.yml中使用自动开发工具(Java 11而不是8,Android 31而不是29)瞄准较新的版本)
Android + coreLibraryDesugaring: which Java 11 APIs can I expect to work?(Android+core LibraryDesugering:我可以期待哪些Java 11API能够工作?)
How to render something in an if statement React Native(如何在If语句中呈现某些内容Reaction Native)
How can I sync two flatList scroll position in react native(如何在本机Reaction中同步两个平面列表滚动位置)
Using Firebase Firestore in offline only mode(在仅脱机模式下使用Firebase FiRestore)
Crash on Google Play Pre-Launch Report: java.lang.NoSuchMethodError(Google Play发布前崩溃报告:java.lang.NoSuchMethodError)