我的應用通過https連接到我自己的網站(使用有效的Let's encrypt證書),但Android不信任證書。它給出了這樣的例外:Android中使用自定義TrustManager的SSL網站不受信任的證書
07-21 13:26:56.161 9679-9679/com.abyx.loyalty W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connectTls(Connection.java:235)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connectSocket(Connection.java:199)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connect(Connection.java:172)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:367)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:130)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:247)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:457)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:405)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:243)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:210)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at java.net.URL.openStream(URL.java:1058)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.abyx.loyalty.tasks.LogoTask.downloadLogo(LogoTask.java:140)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.abyx.loyalty.tasks.LogoTask.doInBackground(LogoTask.java:110)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at com.abyx.loyalty.tasks.LogoTask.doInBackground(LogoTask.java:63)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at android.os.AsyncTask$2.call(AsyncTask.java:305)
07-21 13:26:56.162 9679-9679/com.abyx.loyalty W/System.err: at java.util.concurrent.FutureTask.run(FutureTask.java:237)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at java.lang.Thread.run(Thread.java:761)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:549)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:401)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:375)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:304)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:178)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:596)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: ... 21 more
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-21 13:26:56.163 9679-9679/com.abyx.loyalty W/System.err: ... 31 more
我也跟着上通過接受我自己的證書(https://developer.android.com/training/articles/security-ssl.html)解決此問題的官方Android引導,但問題依然存在。
現在,我試着調試此問題並打印出Android從我的網站中提取的證書以及我交給它的證書,但它們是相同的!它如何仍然抱怨和不信任證書?
這是我的代碼:
public String getJSON(String store, Context context) throws IOException, LogoNotFoundException {
try {
// Load CAs from an InputStream
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(context.getResources().openRawResource(R.raw.abyx));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
store = URLEncoder.encode(store, "UTF-8");
String response;
URL url = new URL("https://www.abyx.be/loyalty/public/logo/" + URLEncoder.encode(store, "utf-8"));
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());
connection.connect();
Certificate[] certificates = connection.getServerCertificates();
for (Certificate cert: certificates) {
System.out.println(cert);
}
connection.setRequestMethod("GET");
int statusCode = connection.getResponseCode();
if (statusCode == 200) {
InputStream in = new BufferedInputStream(connection.getInputStream());
response = IOUtils.toString(in, "UTF-8");
} else if (statusCode == 404) {
throw new LogoNotFoundException();
} else {
throw new IOException("Unable to connect to Loyalty API!");
}
return response;
} catch (KeyStoreException | NoSuchAlgorithmException | KeyManagementException | CertificateException e) {
throw new IOException(e);
}
}
這是我試圖連接到網站:https://abyx.be
任何思考什麼我可以做的不對嗎?
這是我的證件:
-----BEGIN CERTIFICATE-----
MIIF/jCCBOagAwIBAgISA2Mgg80mevuvi+l1QcL/PpYqMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA3MDgyMzA3MDBaFw0x
NzEwMDYyMzA3MDBaMBIxEDAOBgNVBAMTB2FieXguYmUwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDDCcTogDVU8bhx3wCMSm3rhgz5mhP2maq3CAh3sbP8
Ug4RBN57irwElxxIAShYbGEXv2bW20b6OAklyTRrKr3lN55v/J8BTTeiHIIQXsaF
TFLPTC7oOUnccsSRgrYRvpLbkWeCjnjAwPJpyi9ELB7Zh0TmG12iolgXOZsKhf0D
7YhEICOYf6hdl/uwS6JK8MzjUADt3Jb2DugHKC+9GZbqW+233gprat+5IaK/YqJ5
lchIbQPneg0BDCwuuBthnAmiQ/yfPzJz5UdXKyXxbEbh1LJVyMSTOqitbg+arzYp
IMMw4l6m+XMKN6Jr0BGRizaR8WvtLW/VKNclba4pgkBuYxDcl6UuT1mSKQjQRTDx
eUKlTG8lft9dcDBIn0KrBbTfDhOk0Fp80FAReeGnnPXQ7QL6uUKhYkFk6skMyoBQ
8aqOoU5KQKMqwXxMu+ZhxUmH45CzTGpvJgHWSGa7+ckFQYXfpo/2iwFuS1UV5sfM
+gbGdnPXWRNXt8qhn3GcVfyhn3BZXi/IBqHAe7Flx2UYF2HP6i+/jgyMl66zpy5Y
1s5OZWgWD4qZL/E/J8Dj1jLHZ3FOnM7YzHs0iFIrm9dd/f6E822NrssqgkZnuhkp
QOUgQVduXXCQv8dsZcitvFjjL9+H6jwNkaE45QRGhDE5v7QPNlvetmqZuVZfRwkx
CwIDAQABo4ICFDCCAhAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQ8fmT06VJ6tPNf
jLmxnwjXOkBpyTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggr
BgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRz
ZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRz
ZW5jcnlwdC5vcmcvMB8GA1UdEQQYMBaCB2FieXguYmWCC3d3dy5hYnl4LmJlMIH+
BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEF
BQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGe
DIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBS
ZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBD
ZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5v
cmcvcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAFMEmzIQEOC7DhQ6XAA8
qm/hHrmUGabQCBQg7METyI17kV4deCLJhv134I2YhRochsBDTOitDH5UwbUJQBAF
ikTQs+NkHX36mWRceFnuytdsKteXhbInf0THEem20LEimjNRtLUo1iTEQcURl6Uo
iiy4LROEjcKYex+Dx01ED9i38/5VU2Dji9e4EbhGhyd+5GQNrL3iXtdHjLT+N0j1
mw3P/2Xp9A8ya8JWYx7s5fBnGq6COfDbKX2NmcuhZOXppqn4rWWukLSzkgsxrwo7
gRqWRGy9pJWVxB8QVNGJ6hxC6hBc3UY2dn7ZH8da3M7by2pjsymDOk7fWjUTR/4f
9S4=
-----END CERTIFICATE-----
這是使用openssl x509
證書解碼。
$ openssl x509 -in temp.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:63:20:83:cd:26:7a:fb:af:8b:e9:75:41:c2:ff:3e:96:2a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jul 8 23:07:00 2017 GMT
Not After : Oct 6 23:07:00 2017 GMT
Subject: CN=abyx.be
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c3:09:c4:e8:80:35:54:f1:b8:71:df:00:8c:4a:
6d:eb:86:0c:f9:9a:13:f6:99:aa:b7:08:08:77:b1:
b3:fc:52:0e:11:04:de:7b:8a:bc:04:97:1c:48:01:
28:58:6c:61:17:bf:66:d6:db:46:fa:38:09:25:c9:
34:6b:2a:bd:e5:37:9e:6f:fc:9f:01:4d:37:a2:1c:
82:10:5e:c6:85:4c:52:cf:4c:2e:e8:39:49:dc:72:
c4:91:82:b6:11:be:92:db:91:67:82:8e:78:c0:c0:
f2:69:ca:2f:44:2c:1e:d9:87:44:e6:1b:5d:a2:a2:
58:17:39:9b:0a:85:fd:03:ed:88:44:20:23:98:7f:
a8:5d:97:fb:b0:4b:a2:4a:f0:cc:e3:50:00:ed:dc:
96:f6:0e:e8:07:28:2f:bd:19:96:ea:5b:ed:b7:de:
0a:6b:6a:df:b9:21:a2:bf:62:a2:79:95:c8:48:6d:
03:e7:7a:0d:01:0c:2c:2e:b8:1b:61:9c:09:a2:43:
fc:9f:3f:32:73:e5:47:57:2b:25:f1:6c:46:e1:d4:
b2:55:c8:c4:93:3a:a8:ad:6e:0f:9a:af:36:29:20:
c3:30:e2:5e:a6:f9:73:0a:37:a2:6b:d0:11:91:8b:
36:91:f1:6b:ed:2d:6f:d5:28:d7:25:6d:ae:29:82:
40:6e:63:10:dc:97:a5:2e:4f:59:92:29:08:d0:45:
30:f1:79:42:a5:4c:6f:25:7e:df:5d:70:30:48:9f:
42:ab:05:b4:df:0e:13:a4:d0:5a:7c:d0:50:11:79:
e1:a7:9c:f5:d0:ed:02:fa:b9:42:a1:62:41:64:ea:
c9:0c:ca:80:50:f1:aa:8e:a1:4e:4a:40:a3:2a:c1:
7c:4c:bb:e6:61:c5:49:87:e3:90:b3:4c:6a:6f:26:
01:d6:48:66:bb:f9:c9:05:41:85:df:a6:8f:f6:8b:
01:6e:4b:55:15:e6:c7:cc:fa:06:c6:76:73:d7:59:
13:57:b7:ca:a1:9f:71:9c:55:fc:a1:9f:70:59:5e:
2f:c8:06:a1:c0:7b:b1:65:c7:65:18:17:61:cf:ea:
2f:bf:8e:0c:8c:97:ae:b3:a7:2e:58:d6:ce:4e:65:
68:16:0f:8a:99:2f:f1:3f:27:c0:e3:d6:32:c7:67:
71:4e:9c:ce:d8:cc:7b:34:88:52:2b:9b:d7:5d:fd:
fe:84:f3:6d:8d:ae:cb:2a:82:46:67:ba:19:29:40:
e5:20:41:57:6e:5d:70:90:bf:c7:6c:65:c8:ad:bc:
58:e3:2f:df:87:ea:3c:0d:91:a1:38:e5:04:46:84:
31:39:bf:b4:0f:36:5b:de:b6:6a:99:b9:56:5f:47:
09:31:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
3C:7E:64:F4:E9:52:7A:B4:F3:5F:8C:B9:B1:9F:08:D7:3A:40:69:C9
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:abyx.be, DNS:www.abyx.be
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
53:04:9b:32:10:10:e0:bb:0e:14:3a:5c:00:3c:aa:6f:e1:1e:
b9:94:19:a6:d0:08:14:20:ec:c1:13:c8:8d:7b:91:5e:1d:78:
22:c9:86:fd:77:e0:8d:98:85:1a:1c:86:c0:43:4c:e8:ad:0c:
7e:54:c1:b5:09:40:10:05:8a:44:d0:b3:e3:64:1d:7d:fa:99:
64:5c:78:59:ee:ca:d7:6c:2a:d7:97:85:b2:27:7f:44:c7:11:
e9:b6:d0:b1:22:9a:33:51:b4:b5:28:d6:24:c4:41:c5:11:97:
a5:28:8a:2c:b8:2d:13:84:8d:c2:98:7b:1f:83:c7:4d:44:0f:
d8:b7:f3:fe:55:53:60:e3:8b:d7:b8:11:b8:46:87:27:7e:e4:
64:0d:ac:bd:e2:5e:d7:47:8c:b4:fe:37:48:f5:9b:0d:cf:ff:
65:e9:f4:0f:32:6b:c2:56:63:1e:ec:e5:f0:67:1a:ae:82:39:
f0:db:29:7d:8d:99:cb:a1:64:e5:e9:a6:a9:f8:ad:65:ae:90:
b4:b3:92:0b:31:af:0a:3b:81:1a:96:44:6c:bd:a4:95:95:c4:
1f:10:54:d1:89:ea:1c:42:ea:10:5c:dd:46:36:76:7e:d9:1f:
c7:5a:dc:ce:db:cb:6a:63:b3:29:83:3a:4e:df:5a:35:13:47:
fe:1f:f5:2e
您在Apache服務器配置錯誤,https://www.ssllabs.com/ssltest/analyze.html?d=www.abyx.be&s=185.182.56.117&latest說'服務器的證書鏈不完整' – DeKaNszn
謝謝!我已經改變了一些東西到服務器配置,它現在可以工作。連鎖店的確有些問題。 –
已發佈評論作爲答覆,現在你可以標記問題已解決 – DeKaNszn