Accepting a CA doesn't work after a certificate change



  • Hi guys,

    I love the terrific new option to accept unknown certificates without major hackery. I've had a few situations where it didn't work though, one of the a while back while getting rid of CAdroid and now after a certificate change.

    So here's the situation: I generated a new cert using Let's encrypt and put it on my DAV server. Then I let my Android device(s) sync; at first you don't see anything (no dialog, the calendars are silently not refreshed). When you go into the account settings you can see that it is permanently busy with syncing on of the accounts (I have 3 or 4). If you turn off one of the syncing accounts it will complain about an unknown certificate with the usual choices do deny, accept once, accept always. However accepting does not work; if you flick the switch the dialog will appear again ad infinitum.

    But there's a cure: remove one of the accounts with the tainted certificate and re-add it; accept always once and voilá: all affected account start synchronising again.

    Again this also happened when I ditched CAdroid and my suspicion is it will happen again when the Let's encrypt certificates expires in 90 days and I get a new one...


  • developer

    Hello, can you please provide logs of the various problems (MTM doesn't accept the new certificate) etc.? There should be error messages regarding MTM in the logs.



  • I don't see much useful info in the pulled log but here you go:

    [info ] Querying capabilities
    [trace] --> PROPFIND /card.php/addressbooks/daniel/default/ HTTP/1.1
    [trace] Depth: 0
    [trace] <?xml version='1.0' encoding='UTF-8' ?><propfind xmlns="DAV:" xmlns:CAL="urn:ietf:par\
    [trace] ams:xml:ns:caldav" xmlns:CARD="urn:ietf:params:xml:ns:carddav"><prop><CARD:supported-\
    [trace] address-data /><n0:getctag xmlns:n0="http://calendarserver.org/ns/" /></prop></propfi\
    [trace] nd>
    [trace] --> END PROPFIND (258-byte body)
    [error] I/O exception during sync, trying again later - EXCEPTION:
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:306)
    	at com.squareup.okhttp.Connection.connectTls(Connection.java:239)
    	at com.squareup.okhttp.Connection.connectSocket(Connection.java:201)
    	at com.squareup.okhttp.Connection.connect(Connection.java:172)
    	at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:358)
    	at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:117)
    	at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:329)
    	at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:246)
    	at com.squareup.okhttp.Call.getResponse(Call.java:276)
    	at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:234)
    	at com.squareup.okhttp.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:180)
    	at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:223)
    	at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:196)
    	at com.squareup.okhttp.Call.execute(Call.java:79)
    	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:239)
    	at at.bitfire.davdroid.syncadapter.ContactsSyncManager.queryCapabilities(ContactsSyncManager.java:95)
    	at at.bitfire.davdroid.syncadapter.SyncManager.performSync(SyncManager.java:145)
    	at at.bitfire.davdroid.syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter.onPerformSync(ContactsSyncAdapterService.java:52)
    	at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)
    Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
    	at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:209)
    	at de.duenndns.ssl.MemorizingTrustManager.checkCertTrusted(MemorizingTrustManager.java:434)
    	at de.duenndns.ssl.MemorizingTrustManager.checkServerTrusted(MemorizingTrustManager.java:453)
    	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:115)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:525)
    	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
    	... 18 more
    Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    	... 26 more
    java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
     [wrapped] java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:318)
    	at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:209)
    	at de.duenndns.ssl.MemorizingTrustManager.checkCertTrusted(MemorizingTrustManager.java:434)
    	at de.duenndns.ssl.MemorizingTrustManager.checkServerTrusted(MemorizingTrustManager.java:453)
    	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:115)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:525)
    	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:302)
     [wrapped] javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    	at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:306)
    	at com.squareup.okhttp.Connection.connectTls(Connection.java:239)
    	at com.squareup.okhttp.Connection.connectSocket(Connection.java:201)
    	at com.squareup.okhttp.Connection.connect(Connection.java:172)
    	at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:358)
    	at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:117)
    	at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:329)
    	at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:246)
    	at com.squareup.okhttp.Call.getResponse(Call.java:276)
    	at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:234)
    	at com.squareup.okhttp.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:180)
    	at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:223)
    	at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:196)
    	at com.squareup.okhttp.Call.execute(Call.java:79)
    	at at.bitfire.dav4android.DavResource.propfind(DavResource.java:239)
    	at at.bitfire.davdroid.syncadapter.ContactsSyncManager.queryCapabilities(ContactsSyncManager.java:95)
    	at at.bitfire.davdroid.syncadapter.SyncManager.performSync(SyncManager.java:145)
    	at at.bitfire.davdroid.syncadapter.ContactsSyncAdapterService$ContactsSyncAdapter.onPerformSync(ContactsSyncAdapterService.java:52)
    	at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)
    

  • developer

    @prof Thanks for the try. I think you didn't get the MTM messages in the logs because the HTTP client object is created at the very beginning of synchronization. Can you please try:

    1. enable verbose logging
    2. close all running apps (long-tap home button, close all)
    3. synchronize the account (one authority, e.g. contacts provider, is enough)
    4. have a view at the logs?

    They should now contain some info about the the MTM initialization when creating the HTTP client.



  • The log unfortunately always looks the same after aborting the sync (before it's a 0-Byte file). I also checked the regular log using logcat but there's also nothing in there. Anything else you'd like me to try before working around the problem.


  • developer

    @prof I'll try switching from one self-signed cert to another and see whether it works.



  • So after the mandatory replacement of the certificates due to the 3 months expiry of the Let's Encrypt certificates the problem is back on all devices.


  • developer

    Hello,

    The cause for this problem has finally been identified. Please follow up at https://github.com/ge0rg/MemorizingTrustManager/issues/52


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.