Letsencrypt and android apps


#1

On android, all browser accept the LE certificates, but an app using the default HTTP client seems to have problems. Here is the corresponding code:

What do i need to change, so it accepts LE certificates? Is it something about the depth of the trust chain (i.e. that LE is not a root certificate but an intermediate one)? My server has the fullchain.pem configured as certificate.


#2

What does SSLTest show? Maybe you’re missing part of the chain or the server’s accepted ciphers and methods aren’t compatible.

Also, DefaultHTTPClient is deprecated. Use HttpURLConnection, HttpClientBuilder, Volley or OkHttp.


#3

The app is a bit older, but just worked when using the right certificates (and failed on errors without any “accept this self signed one”). I may look into changing it, but currently i do not even have a build environment installed.

For my android 4:
Android 4.4.2 TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS

Total grade capped to B, because some insecure cipher is still allowed. Need to check this.


#4

I know the DST Root that cross-signs the Let’s Encrypt certificates isn’t a trusted CA in Java yet. It’s possible that the older DefaultHTTPClient uses the Java trust store, which could cause the problem you are seeing. I am just guessing, however.


#5

Ah, sounds plausible. May even explain why i always had problems correctly installing CaCert before. Meh, need to look into it to use another client.

btw. upgraded now to A by choosing own DH-param \o/


#6

I had also problems in my android apps. The problem was SNI… I changed to Volley and now it works.


#7

I would like to avoid anything not in the core android, as the app is on purpose very simple and without external dependencies. So i will first look around with the other android url-apis.


#8

I haven’t looked at the details, but DAVdroid (an Android client app to connect to an ownCloud server) seems to work fine on my Android 4.4 phone.

One thing that I had to do to get it to work however was to follow the instructions in this post, which also solved my This server's certificate chain is incomplete. Grade capped to B. problems reported by the SSL Labs SSL Test site.


#9

I don’t think this is the problem, as i use the fullchain.pem with nginx on the domain, which should deliver this as the apache config in the linked post does.