Android App isn't accepting certificate

m.b · December 6, 2015, 5:25pm

Hi!
First: Thanks to Let’s Encrypt for the easy way of requesting a certificate.

I’ve set up a certificate on my webspace including several domains. It’s working perfectly on PC and in the browsers of Android. But if I want to make a HTTPS-Request from my Android-App it gets the error “couldn’t load webpage”.
I got the same error by using certificates from CAcert. I thought it’s because android doesn’t trust them.
But Android should trust Let’s Encrypt. (In the standard browser it works without any errors.)

What could be the reason for the error?

Thanks in advance, m.b

Osiris · December 6, 2015, 5:28pm

…Chip away some b#llcr#p about certificate chain… Didn’t read the “and in the browsers of Android”-part… Oopsie…

Test your server at SSL Labs and hopefully you’ll most likely find some kind of warning/error?

m.b · December 6, 2015, 5:40pm

SSL Labs says for IPv4 and IPv6 grade A.

I’m using this Library on Android: http://loopj.com/android-async-http/
It throws the following exception:
javax.net.ssl.SSLException: hostname in certificate didn't match

It seems like it gets the certificate from my hoster and not the Let’s Encrypt certificate…
The Android browser shows the Let’s Encrypt certificate.

Osiris · December 6, 2015, 5:43pm

Does the SSL Labs test say anything about “This site only works with SNI” or something? Anything about SNI?

Although I don’t think it’s likely your library wouldn’t implement SNI… That would be rather stupid…

Uch, shouldn’t have said that…: https://github.com/loopj/android-async-http/issues/224

m.b · December 6, 2015, 5:44pm

I can’t find anything about SNI on the SSL Labs site but I know my hoster uses SNI. And I found this: https://github.com/loopj/android-async-http/issues/991

I guess I have to look for another library?

selecadm · December 6, 2015, 5:47pm

Libraries that depend on Java 6 in 2015 year are bad. Yes, consider looking.

Osiris · December 6, 2015, 6:04pm

If your hoster uses name-based hosting (instead of IP-based), it should give a blue box with "This site works only in browsers with SNI support." in it in the Summary section at the top, just below the "A" and graphical rating bars.

m.b · December 6, 2015, 6:05pm

There is no blue box…

Osiris · December 6, 2015, 6:09pm

Interesting

One might say using a library which is missing the SNI feature should work if your hosting isn’t fully depending on SNI…

selecadm · December 6, 2015, 6:11pm

Can I look at your hostname? You can send via private messages.

m.b · December 6, 2015, 6:14pm

I’m new here. How can I write a private message?

selecadm · December 6, 2015, 6:16pm

Go to my profile: https://community.letsencrypt.org/users/selecadm/activity

On the right there will be “Message” button.

m.b · December 6, 2015, 6:17pm

I don’t find it. Can you write me a private message and I anwser?

m.b · December 6, 2015, 7:32pm

I use now Volley (http://developer.android.com/training/volley/index.html).
Volley supports SNI.

Thanks!