SSL Certificate not recognized
I have a web server with a purchased certificate from GANDI. It was correctly set with the full chain ( my certificate + intermediate certificate concatenated ) in the apache configuration.
(Apache 2.4.10, SSLCerificateFile set to the path of a file containing my certificate concatenated with the intermediate certificate)
When I try to add my owncloud account, it says “Untrusted certificate in certificate path”. (Edited) CADroid reports the chain correctly (fetch lists the two certificates from the chain) and is able to import the certificate, but this defeats the purpose of purchasing a certificate.
What could be the problem?
This is not a DAVdroid problem. When I try your domain (taken from your email) in the default Android browser, it shows a certificate error, too.
To identify such problems, I recommend SSL Server Test. When you enter your domain there, you get several results (by the way, you should really disable SSLv3 to prevent POODLE attacks).
When looking at the Certification Paths section, you can see that there are two certification paths. In both, “AddTrust External CA Root” is in the default trust store.
- AddTrust External CA Root signs
- USERTrust RSA Certification Authority signs
- Gandi Standard SSL CA 2 signs
- your domain’s certificate.
In one of the certifications paths, the “USERTrust RSA Certification Authority” is already in the trust store, so it’s not required for the server to send it. However, in the other certification path, “USERTrust RSA Certification Authority” is not in the trust store, so it would have to be sent by the server, too.
And this is the reason why your configuration doesn’t work with Android yet: Android doesn’t contain the “USERTrust RSA Certification Authority” in the default trust store (have a look in Settings / Security / Certificates / System), but only “AddTrust External CA Root”. So, you will have to send both “USERTrust RSA Certification Authority” and “Gandi Standard SSL CA 2” as intermediate certificates.
Ran into this as well. It might even be expected:
Not all web browsers have implemented the Root CA for SHA2 certificates. Consequently, it may be necessary to add the cross-signed certificate below to your server so that the client can verify the certification chain. …
I had followed the instructions to add a cross-signed certificate. Unfortunately, the bundling order in Gandi’s instructions are backwards. I didn’t have any problems with Firefox interpreting the cert chain but SSL Server Test revealed it was “incomplete”. Reversing the order fixed the problem and immediately DAVdroid connected without complaint.
The cert bundle, in correct order, looks like this:
-----BEGIN CERTIFICATE----- MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv ... 0fKtirOMxyHNwu8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIF6TCCA9GgAwIBAgIQBeTcO5Q4qzuFl8umoZhQ4zANBgkqhkiG9w0BAQwFADCB ... BT02Vf6Dsuimrdfp5gJ0iHRc2jTbkNJtUQoj1iM= -----END CERTIFICATE-----