SSLException Trust anchor for certification path not found

[Exagone313]

Hello,

I have the same issue that https://github.com/nilsbraden/ttrss-reader-fork/issues/287 ( https://cloud.githubusercontent.com/assets/11696581/7493629/e3eafc3e-f402-11e4-908b-9dfa164e6629.JPG ), i.e. unable to use my own self certificate. Since the last message ask to open a new issue, I do.

I downloaded the app (version 1.87.0) from F-droid because I don't want to build it myself (I'll try if necessary). I am on Android 4.4.2. Also, it seems impossible to install a self signed certificate on the Android store (see https://android.stackexchange.com/questions/61540/self-signed-certificate-install-claims-success-but-android-acts-as-if-cert-isn and I prefer not to create a new certificate). My certificate works on navigators and other apps like owncloud. Since it is open source, I'm sure you can take the code for that part (i.e. support self signed certificate) from other projects. You could also ask the user for a link to the public certificate on the storage (but download to the data directory is fine).

[nilsbraden]

Please drop me a mail (ttrss@nilsbraden.de) with your server-url so I can check the certificate.

[nilsbraden]

You may also want to try the build https://github.com/nilsbraden/ttrss-reader-fork/releases/tag/v1.88.0-debug where I disabled all the constraints on ssl connections and just use whatever the system provides. This may include unsafe configurations such as RC4 or SSLv3.

[amette]

I am having the same problem with my new Let's Encrypt certificate: "Trust anchor for certification path not found". Using the SSL Debug build of ttrss-reader does not help.

This is not a self-signed certificate, this is an official Let's Encrypt one. The certificate works nicely in the Firefox browser on the same phone. Do you bundle a CA store with ttrss-reader or something like that?

[nilsbraden]

"Do you bundle a CA store with ttrss-reader or something like that?" No but Firefox does. Please try with other applications first. And please read my last comment above yours.

[amette]

Yep, I had noticed your comment and already tried it out, please see my comment above: "Using the SSL Debug build of ttrss-reader does not help."

But Firefox having a CA store of its own explains a lot! I tried with the Android browser and that failed, too. I quickly figured out that it was my ttrss subdomain not serving the intermediate certificate - so totally a server configuration fault. This is the fix for #313 (from which I came over here), which imho is not a duplicate of this bug!

Reading the original author's description of this bug #312 here again, I think that the fix is to import his/her CA's certificate into the trust store of the phone. I have been doing that successfully for quite a while. Once more clearly: The certificate of the tinyrss instance shouldn't be importable into the trust store, that's not what it's for. The CA certificate needs to be imported into the trust store.

So imho this bug can be closed.

P.S.: Thanks for tt-rss! I use and love it every day! :)

[Exagone313]

Sorry for the lag. When I try your build, I get "Couldn't login to your account, please check your credentials." but I am absolutely sure what I entered is correct (I triple-checked to be sure.). Not any SSL error...

[ghostd]

Is this comment could be helpful? https://code.google.com/p/android/issues/detail?id=78187#c33

[nilsbraden]

I added a debug-build with the Netcipher library (https://guardianproject.info/code/netcipher/), you can find it here: https://github.com/nilsbraden/ttrss-reader-fork/releases/tag/v1.90.1-debug

[Exagone313]

I'm sorry but I don't use TTRSS anymore.

[rtalwar26]

+1

[BerndSy]

Hi,

I upgraded to version 1.91.1 on a tablet with Android Nougat and the error message reappeard. Works fine when I downgrade to 1.90.1. No problems on my phone with Android Marshmallow and 1.91.1. I have a seld-signed certificate, I don't use LetsEncrypt.

Regards,

Bernd

[marteno]

Having used a self-signed certificate (imported into Android) without problem doesn't work after phone updated to Android 7. Wonder if it could be related to this: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html

[drohhyn]

Maybe somebody is interested in the fix that worked for me: My configured SSL LE Cert in apaches vHost looked like this:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

Now I've changed to the following and everything works fine!

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

Realised this misconfiguration (?) while having errors in other applications.

Just and addition to the comment above by @marteno: I've upgraded to lineage 14.1 (which depends on android 7.1) and had no problems either.