API 10 - https PIWIK server - Could not validate certificate signature -

[eldk]

Hello,

Using API 19, and one PIWIK Server 2.16.5 (NGINX, SSL, letsencrypt) the events are sent.

10-15 02:07:59.053 14043 14043 D PIWIK:Tracker: URL added to the queue: ?_idvc=3&apiv=1&uid=f7a5aec6-b13a-4959-a2e7-a0f3a9bbbe2c&res=720x1280&idsite=1&send_image=0&cdt=2016-10-15%2002%3A07%3A59%2B0200&_viewts=1476466722&lang=fr&url=http%3A%2F%2Ftld.domain.app%2FMainActivity&country=FR&rec=1&_id=71c0ecc76bb5472e&new_visit=1&action_name=MainActivity&ua=Dalvik%2F1.6.0%20%28Linux%3B%20U%3B%20Android%204.4.2%3B%20HTC%20One%20mini%20Build%2FKOT49H%29&_idts=1476466274&rand=76399 10-15 02:09:59.051 14043 14073 D PIWIK:Dispatcher: Drained 1 events. 10-15 02:10:00.713 14043 14073 D PIWIK:Dispatcher: status code 204 10-15 02:10:00.713 14043 14073 D PIWIK:Dispatcher: Dispatched 1 events.

With the same server and app, API 10 device throw this exception :

10-15 01:43:47.929 21711 21711 D PIWIK:Tracker: URL added to the queue: ?_idvc=6&apiv=1&uid=a63502e7-3bc5-49c2-adc5-e9c0069584e1&res=320x480&idsite=1&send_image=0&cdt=2016->10-15%2001%3A43%3A47%2B0200&_viewts=1476474566&lang=fr&url=http%3A%2F%2Ftld.domain.app%2FMainActivity&country=FR&rec=1&_id=af628cf6c51147fb&new_visit=1&action_name=MainActivity&ua=Dalvik%2F1.4.0%20%28Linux%3B%20U%3B%20Android%202.3.6%3B%20XT320%20Build%2FGRK39F%29&_idts=1476464424&rand=90454 10-15 01:45:47.959 21711 21726 D PIWIK:Dispatcher: Drained 1 events. 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: Cannot send request

10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: javax.net.ssl.SSLHandshakeException: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature.

10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:477) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:328) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.luni.internal.net.www.protocol.http.HttpConnection.setupSecureSocket(HttpConnection.java:185) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:433) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl$HttpsEngine.makeConnection(HttpsURLConnectionImpl.java:378) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnectionImpl.retrieveResponse(HttpURLConnectionImpl.java:1018) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.luni.internal.net.www.protocol.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:726) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.luni.internal.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:121) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.piwik.sdk.dispatcher.Dispatcher.dispatch(Dispatcher.java:219) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.piwik.sdk.dispatcher.Dispatcher$1.run(Dispatcher.java:165) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at java.lang.Thread.run(Thread.java:1019) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: Caused by: java.security.cert.CertificateException: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature. 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:161) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:664) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:474) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: ... 10 more 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature. 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(RFC3280CertPathUtilities.java:1504) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:399) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at java.security.cert.CertPathValidator.validate(CertPathValidator.java:197) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:156) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: ... 13 more 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: Caused by: java.security.SignatureException: Signature was not verified 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.apache.harmony.security.provider.cert.X509CertImpl.verify(X509CertImpl.java:522) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(CertPathValidatorUtilities.java:1551) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(RFC3280CertPathUtilities.java:1496) 10-15 01:45:48.239 21711 21726 W PIWIK:Dispatcher: ... 16 more 10-15 01:45:48.239 21711 21726 D PIWIK:Dispatcher: Dispatched 0 events.

have you any clue ?

Thanks, Eric

Screen capture from info on Certificate when browsing PIWIK SSL server index page with API 10 device (https://community.letsencrypt.org/t/which-browsers-and-operating-systems-support-lets-encrypt/4394):

From https://www.ssllabs.com/ssltest/analyze.html on PIWIK SERVER

Android 2.3.7 No SNI (2) RSA 4096 (SHA256) TLS 1.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH 2048 FS (2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.

[eldk]

Hello,

I have switched to OkHttp3, same result. (Simple sync url call on https url)

javax.net.ssl.SSLHandshakeException: org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature.

Thanks,

Eric

[eldk]

Trying to force TLS1_2 (still with OkHttp - https://github.com/square/okhttp/wiki/HTTPS), I have this error :

java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256], tlsVersions=[TLS_1_2], supportsTlsExtensions=true)], supported protocols=[SSLv3, TLSv1]

So device is supporting SSLv3 and TLSv1.

Not sure that SNI is supported (it seems to not be the case for device < = Android 2.3.7).

https://developer.android.com/reference/javax/net/ssl/SSLEngine.html

[eldk]

Ok,

That's solved : the full chain cert was not in correct order + (extra) old key kept in file. When this occur, it seems that some devices will go ahead, but not some others.

NGINX : https://community.letsencrypt.org/t/solved-not-trusted-on-mobile-maybe-error-setting-up-chain-cert/13316/8

APACHE: https://community.letsencrypt.org/t/incorrect-order-and-extra-certificate-error/8759

So when check the SSL conf of your server, check that there is no "Chain issues Incorrect order, Extra certs" for example here : https://www.ssllabs.com/ssltest/index.html.

If so correct the order of keys in file.

I will check for the next key renewall if the order is right.

Thanks, Eric