Android App Trust anchor for certification path not found


#1

Please fill out the fields below so we can help you better.

My domain is: https://www.schej.co.uk, running on an Amazon AWS instance (linux AMI) instance. My application is based on DropWizard 1.0.5, Java 1.8.0_111. FYI - Dropwizard is a package of open source Java components which make up a full stack, with Jetty as the HTTP server.

The application works fine accessed as above on desktop browsers, but android chrome browsers throw the error above. In addition, an android app attempting to connect to exposed webservices fails for the same reason.

To get the certs I ran: certbot-auto certonly -w . -d schej.co.uk -d www.schej.co.uk

This seemed to work fine, delivering cert.pem, chain.pem, fullchain.pem and privkey.pem

I then ran:
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_ket.p12 -name dw -CAfile fullchain.pem -caname root
to create the .p12 file, then

keytool -importkeystore -deststorepass xxxx -destkeypass xxx -destkeystore SchejKeystore.jks -srckeystore cert_and_ket.p12 -srcstoretype PKCS12 -alias dw
to create the PKCS12 keystore, then

keytool -import -trustcacerts -alias root -file fullchain.pem -keystore SchejKeystore.jks
to include the cert chain into the final jks, which I point dropwizard to to access the site over ssl.

Running https://www.digicert.com/help/ for my site seems to confirm the problem. What I I done wrong? Any help would be greatly assisted - and given DropWizard is a a relatively new platform, would greatly assist the commonuty (or thos eof us without certificate experts).

Thanks in advance
Chris


#2

I think the value for -in in your openssl command should be the fullchain.pem file rather than cert.pem. I don’t think you need the -CAfile flag at all. Something like:

openssl pkcs12 -export -inkey privkey.pem -in fullchain.pem -out fullchain_and_key.p12

should work.


#3

Thanks, Patrick - it worked perfectly.

I’ve been pulling my hair out (what little is left) over certificates.

Best regards
Chris


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.