java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

Puedo leer las respuestas en Inglés (sí o no): SI

Mi dominio es: transbaluso.cl

El sistema operativo en el que se ejecuta mi servidor web es (incluya la versión):
Archlinux con Nginx 1.22.1

Puedo iniciar una sesión en una shell root en mi servidor (sí, no o no lo sé): SI

Estoy usando un panel de control para administrar mi sitio (no o proporcione el nombre y la versión del panel de control): NO

La versión de mi cliente es (por ejemplo, si usa certbot, muestre la salida de certbot --version o certbot-auto --version): 1.32.0

Sucede que el certificado funciona perfectamente con clientes web y con una app que hice con react-native en iOS, pero no funciona con android, en android me da este error:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

Todos los celulares con android no logran conectarse a mi API debido al certificado.
He intentado todas los soluciones posibles desde el lado del software, pero sigue sin funcionar.

Quería consultar aquí por si saben algo sobre este error.

Saludos!

1 Like

Hello @wrbutros, welcome to the Let's Encrypt community. :slightly_smiling_face:

What version of Java are you having an issue with?

Using SSL Server Test (Powered by Qualys SSL Labs) I see results SSL Server Test: transbaluso.cl (Powered by Qualys SSL Labs)

Supplemental information:
Here is a list of issued certificates crt.sh | transbaluso.cl, the latest being 2022-11-22.
However this is the certificate being served.

2 Likes

Hola @wrbutros,

Creo que lo mas probable sea

En este caso, usted está usando la "long chain" (con el certificado raíz caducado).

4 Likes

Yes, but OP mentions they're using Android. And the long chain is for (older) Android phones. So one would assume there wouldn't be an issue with the long chain, right?

The following thread had the same issue with an older Android (5.1), but with a stock ROM everything was fine again: Trust anchor for certification path not found (Android 5.1) - #6 by Martin38

4 Likes

Good point!

4 Likes

Are you sure that error is for a connection to that domain name?

And, is it multiple Android devices that fail?

Because, as you say, the cert looks fine from a browser and your iOS app just not this app. Bruce also shows SSLLabs showed the cert was fine.

So, I would guess the error is for something else. Or, perhaps your CA cert store on Andorid is damaged or your comms config selected an alternate CA Store.

4 Likes

Can you use that same Android device with Java and connect to other sites that also use LE certs with the long chain?

Can you provide the port used with your app?
[and a test query (URL) if not plain https://your.domain/]

2 Likes

Hi everyone!
I managed to make the application connect with my API successfully, but I'm still researching the origin of the problem.

More context:

  • My mobile application is made by React Native + Expo.
  • I compiled a version for iOS and another for Android.
  • The problem just suddenly happened only in the Android
    (In all the android devices without have made any change in the mobile app or the server)
  • iOS can connect with the API without problem
  • The website can communicate with the API without problem

It seems to be a problem of the library axios (specifically axiosinstance).
Its weird because I didn't change anything in the android app, it just suddenly stopped to work.
(in all the android devices at the same time).

And just doing tests I realized that axiosinstance fails by doing the request (with the exception that I already showed you), but in an inexplicable way if the first request pointing to my API is by using axios it works perfectly, and after that axiosinstance is capable to perform any request to my API without fail.

I know it sounds weird, but now my app is working again.

By other Side, just to let you know, I also tested an android app called API Tester v5.6 and it fails connecting to my API giving me the same exception, but it last version API Tester 5.7 (which was released just some days ago) works without problem.

I also tried to connect to my API with ApiClient v2.4.7 and it fails with the same exception.

Again, I don't understand what is the real problem but definitely is not the certificate.

Anyway, thank you so much for your help!
you are the best!

4 Likes