javax.net.ssl.SSLPeerUnverifiedException: No peer certificate


#1

I have my certificate setup for my site correctly, or so I thought, until I tried to connect to it via an Android application. The error thrown by the Android app is as shown in the title: javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

I checked the certificate via ssllabs.com (https://www.ssllabs.com/ssltest/analyze.html?d=zacksmohawk.com) and got an ‘A’ rating.

I then checked it out via terminal (openssl s_client -connect zacksmohawk.com:443) and got the following result:

CONNECTED(00000003)
depth=1 /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0

Certificate chain
0 s:/CN=zacksmohawk.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA+Pqu/uhUdCOWwKoa+4m2XkAMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MzExMjU0MDlaFw0x
ODExMjkxMjU0MDlaMBoxGDAWBgNVBAMTD3phY2tzbW9oYXdrLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMI0GPMaqUfQFCSxKhu1FWW0iwRnTX89
AnDHru+tCmR6XHJLsg4B80y+NCaIlyCtpsp5V7ldde7icISMnL8Cgce8b+PsGfPy
fbPF8U4YZD7ULx1lEdGhXayf8dmqqn6TjB4M+6qPxzF4PdjxPATG49xAqEv8fz5B
Z22hfZzfN9ttajciZrdGztZLLotANTaYenl1at90Z4KkC73g+9t9I9qgJRFe0DrS
hB/MNplnyRzTFtX4lOAgbSv6P63zqAhexTTKdgE4KC0Yb0ii7tM06snf5NetebMm
tPKRCTG2/v1YboIshsU9Cjmx22yG4J/dw8ztQl65TXbGQh299X5nOd0CAwEAAaOC
AzkwggM1MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUrpahjGj+VwOadTxxwtMVz+yj
uygwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzA9BgNVHREENjA0ghVicm9hZGNhc3RzLmdlZS1vaC5uZXSCCmdlZS1vaC5u
ZXSCD3phY2tzbW9oYXdrLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYL
KwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9u
bHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGlu
IGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0
IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIBAwYKKwYBBAHW
eQIEAgSB9ASB8QDvAHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwA
AAFlkEM6TQAABAMARzBFAiEAucKNzowAK96kVIIorG0rxFCjeTwMEy50sXGqgn1b
G6ECIDIyDQ2gbCjvkFt+EA6zacluEwzIUQBuOrrsLFP27YTeAHUAKTxRllTIOWW6
qlD8WAfUt2+/WHopctykwwz05UVH9HgAAAFlkEM6OAAABAMARjBEAiAhI/LAU+N2
3H5R9OpRKNyjAO3PvsgkekJvg1eHAtfPOgIgfOPxWswEAYepl0ngOMHuycM8HogX
JBmYIcUnMKMr++4wDQYJKoZIhvcNAQELBQADggEBABlKhqugpLLDLFuKjABo+Pix
3PW20Db0UdJgEhboU7hQMTC/eNFEpUEngh/f58/Gbjqoz/3706OMUC2t1w4NKhFg
7MSuul7VHQ6feLAUmxSIl8XDtrejmVoipKgOvUfatYgKTIDUIJeWnhqAdZqqhkFb
vmOA9AngshJesj+RNrTR2YT+vzMPrtUVHQhAfy8s0FO5U3yOlR6j+kB2inoQ8Pi8
4cCnWkovk0yO8WBCOYSsQJNmgDPDmgTy4FL5hzS0vSXzBqHMc+x6si72e7WwVrfZ
OX2nZ0SoYyKkI4EZk0bgilwv24LtuIuTvpgJYG4FjqFjli6rm5bt82HCe5YAg5o=
-----END CERTIFICATE-----
subject=/CN=zacksmohawk.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent

SSL handshake has read 3715 bytes and written 456 bytes

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES128-SHA
Session-ID: BB0E3A9B3480660952B5983D2FAE8DBD8F0C006CD155A1903C7D7DC218DA5A71
Session-ID-ctx:
Master-Key: 605C82C6FEC57ECFA0EF0449B87435C5492059F74F6577B5D73172FDF56B92207BFFC16483808B3CCFD5919C708550AB
Key-Arg : None
Start Time: 1535994436
Timeout : 300 (sec)
Verify return code: 0 (ok)

I have seen various other related posts advising me to change the order of the certificates in the chain, but how do I do that? And, if that’s not the actual solution, what is? Thanks.


#2

Hi,

Take a look at this answer please.

Is it possible that let’s Encrypt was not included in your Android / Java trust store?

Thank you


#3

Thank you. It wasn’t the eventual solution, but it led me in the right initial direction. Many thanks :slight_smile:


#4

@HomerPlata Could you share what did solve the problem for you, so that others with the same problem can benefit it?


#5

Sorry, yes. I edited the conf file (/etc/apache2/sites-available/000-default-le-ssl.conf) and added the line:

SSLCertificateChainFile /etc/letsencrypt/live/zacksmohawk.com-0001/chain.pem

Underneath the existing SSLCertificateFile and SSLCertificateKeyFile. Then restarted Apache.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.