SSL Certificate from StartCom not accepted



  • Hi, every time I log in to my phone, it shows me a dialog to accept the certificate of my own server.
    0_1452506129662_device-2016-01-05-100334.png .
    CADroid tells me something about a missing CA-Flag.
    0_1452506198876_device-2016-01-05-102414.png
    My Owncloud calender doesn't get synchronized anymore.
    Don't know exactly what the problem is or how to set a CA-Flag.

    SOFTWARE INFORMATION
    DAVdroid version: 0.9.1.3 (87) Sat Jan 02 11:24:54 MEZ 2016
    Installed from: com.android.vending
    JB Workaround installed: no
    CONFIGURATION
    System-wide synchronization: automatically
    Account: ****@songeasy.de
      Address book sync. interval: —
      Calendar     sync. interval: 60 min
      OpenTasks    sync. interval: manually
    Account: ***Kontakte
      Address book sync. interval: manually
      Calendar     sync. interval: —
      OpenTasks    sync. interval: manually
    SYSTEM INFORMATION
    Android version: 4.2.2 (JDQ39.I8200NXXUAOC1)
    Device: Samsung GT-I8200N (goldenve3g)
    

    The option for longer protocollation is greyed out.
    Thanks in advance!


  • developer

    Hello,

    1. You don't need CAdroid for using DAVdroid anymore (it makes sense for importing a custom CA, though, but not in your case).
    2. Your certificate chain is incomplete. Install the StartCom intermediate certificate as instructed on their homepage (SSLCertificateChainFile in case of Apache). You might also want to fix the other TLS issues.


  • doesn't help
    If I use the pem file, as suggested elsewhere, or the crt file, the error is the same.

     <VirtualHost *:443>
            SSLEngine On
            SSLProtocol all -SSLv2 -SSLv3
            SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
            SSLCertificateFile /etc/ssl/certs/songeasy.de.crt
            SSLCertificateKeyFile /etc/ssl/private/songeasy.de.key
            SSLCertificateChainFile /etc/ssl/certs/1_root_bundle.crt
    /#        SSLCertificateChainFile /etc/ssl/certs/sub.class1.server.ca.pem
    /#        SSLCACertificateFile /etc/ssl/certs/ca.pem
            DocumentRoot /var/www/
    </VirtualHost>
    

    (slashes only here because of text markdown)

    edit: put ``` around configuration


  • developer

    @rekisum Your certificate chain is still incomplete and missing the "StartCom Class 1 DV Server CA" (have a look at "Chain issues").

    Please note that this is not related to DAVdroid but to your server's TLS configuration – if you visit the URL with the Android default browser (not Firefox or Chrome, which store additional trusted CAs including some intermediate certificates) or any other app, the same problem will occur.



  • I just tried with chrome and IE. Both do not complain.

    But you are right as SSL Checker says:
    The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

    But as I tried to follow StrCom's instructions and their forum doesn't help until now , so I got stuck.


  • developer

    @rekisum Did you use the correct intermediate certiciate, "StartCom Class 1 DV Server CA" from https://startssl.com/root?



  • do you mean the 1_root_bundle.crt ?
    It came in the zip file.
    Where do I find "StartCom Class 1 DV Server CA" on the web site?
    Thanks for the quick help by the way :-)


  • developer

    @rekisum On https://startssl.com/root, "Intermediate CA Certificates", you can download "StartCom Class 1 DV Server CA" in PEM format (.crt).



  • yeah, found already ca.server1.crt :-)
    tried to use it as certificate chain file
    SSLCertificateChainFile /etc/ssl/certs/sca.server1.crt
    didn't help
    did you mean that?
    or is the pem file better?
    ?



  • neither of them worked :-(


  • developer

    @rekisum Well, according to ssllabs.com, the StartCom Class 1 DV Server CA is still not in the chain. So there's something wrong with the configuration, maybe the SSLCertificateChainFile is not applied or something. You will have to fix that to get the certificate accepted by all clients.

    Or, just click on "Always accept" in DAVdroid, it should work, too. But it won't fix the real problem.



  • How do you see that?
    It says: Chain issues incomplete
    Do you mean: extra download?

    No, always accept doesn't work.
    Have alway to click the dialog multiple times.


  • developer

    @rekisum said:

    How do you see that?
    It says: Chain issues incomplete
    Do you mean: extra download?

    Yes, that means that chain is not complete and requires extra downloads to verify it.

    No, always accept doesn't work.
    Have alway to click the dialog multiple times.

    Then there's a bug.



  • @rekisum Try removing the account from your Android device and re-adding it. I'm having similar problems (dialog constantly popping up) after a change of the certificates and re-creating the account solves the problem consistently.



  • Ok, seem I resolved my SSL certificate problems, despite the CA-Flag.
    At sometime finding the bug i disabled the StartCom certificate in the System Settings.
    Enabling it and going through accept permanently dialogs seems to fixed it.
    Calender gets synced again. .-)


Log in to reply
 

Looks like your connection to Bitfire App Forums was lost, please wait while we try to reconnect.