Trust anchor for certification path not found (Android 5.1)

Martin38 · February 14, 2022, 11:57pm

Domain
zutini.lv

Describe the bug
Trying to connect to mail server secured with a Let's Encrypt certificate on Android 5.1 yields following error:

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

To Reproduce

Create new certificate using cerbot.
Configure your mail server to use it (the fullchain variant).
Configure your Android 5.1 email client to connect to it.

Expected behavior
A successful connection. According to Let's Encrypt the new ISRG Root X1 certificate is cross-signed from DST Root CA X3 which is installed in Android 5.1 as a trusted root CA.

Log
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Platform:

OS: Android
Version: 5.1

Additional context
Connecting to the same server with e-mail clients from other operating systems such as Windows works fine. Manually installing the ISRG Root X1 certificate on the Android 5.1 device also resolves the problem (but isn't a satisfactory solution because of the constant security nagging from Android).

aarongable · February 15, 2022, 12:05am

Welcome to the forum! Two questions:

What app are you using to connect to the mail server?
It appears that zutini.lv also serves a website; are you able to browse that website in the Android 5.1 default web browser?

9peppe · February 15, 2022, 12:07am

Are you sure your mailserver is sending the entire chain?

If so, there probably isn't a solution other than using another CA or upgrading that device.

Trust anchor not found is strange, tho. DST Root X3 should be there, even if it's expired it keeps working.

Martin38 · February 15, 2022, 12:11am

Good day,

I tried some standard issued client that came with the phone (Wiko Lenny 2), it's just called "E-Mail". I also tried the "Gmail" app which resulted in the same error message.
No this does not work either. The browser displays the error message NET::ERR_CERT_AUTHORITY_INVALID

Should I try to perform a factory reset of the phone to see if that makes any difference, perhaps?

aarongable · February 15, 2022, 12:18am

Hmm, that is surprising. Thanks for checking!

I've confirmed that zutini.lv (the website, at least, haven't tried to connect to a mailserver on that domain) is sending all three certificates (your end-entity cert, R3-signed-by-X1, and X1-signed-by-DST) in its handshake. It may be that:

DST Root CA X3 has been removed from the phone's root store
A setting has been flipped to prevent trusting expired roots
The OEM (Wiko) may have changed how cert validation works
Something else I'm not thinking of

A factory reset would address the first two issues there, but likely not the latter two.

Martin38 · February 15, 2022, 1:04am

Hello @aarongable,

Thank you for your kind help. I just downloaded the Android 5.1 stock ROM that was available from the Wiko support website and installed it on the phone....and I couldn't believe it, but now it's working! Both connecting to the mail server as well as opening the website in the OS browser now works fine.

So something must have been really broken with the android version on that phone and it had nothing to do with the issued certificates! Sorry for the inconvenience and thanks again for your prompt help!

Have a nice day!

system · March 17, 2022, 1:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.