blocks|key|828421|text|我收到的错误消息类似，但原因是自签名证书已过期。当我尝试openssl客户端时，它给了我一个原因，当我在firefox中检查证书对话框时，这个原因被忽略了。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|828422|因此，通常情况下，如果证书在密钥库中并且是“有效的”，那么这个错误就会发生。|828423|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

The error message I was getting was similar but the reason was that the self signed certificate had expired.
When the openssl client was attempted, it gave me the reason which was overlooked when I was checking the certificate dialog from firefox.

So in general, if the certificate is there in the keystore and its "VALID", this error will go off.

blocks|key|613289|text|在姜饼手机中，我总是得到这样的错误：Trust+Anchor+not+found+for+Android+SSL+Connection，即使我设置依赖于我的证书。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|613290|下面是我使用的代码(用Scala语言编写)：|613291|object+Security+{
++++private+def+createCtxSsl(ctx:+Context)+=+{
++++++++val+cer+=+{
++++++++++++val+is+=+ctx.getAssets.open("mycertificate.crt")
++++++++++++try
++++++++++++++++CertificateFactory.getInstance("X.509").generateCertificate(is)
++++++++++++finally
++++++++++++++++is.close()
++++++++}
++++++++val+key+=+KeyStore.getInstance(KeyStore.getDefaultType)
++++++++key.load(null,+null)
++++++++key.setCertificateEntry("ca",+cer)

++++++++val+tmf+=+TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
++++tmf.init(key)

++++++++val+c+=+SSLContext.getInstance("TLS")
++++++++c.init(null,+tmf.getTrustManagers,+null)
++++++++c
++++}

++++def+prepare(url:+HttpURLConnection)(implicit+ctx:+Context)+{
++++++++url+match+{
++++++++++++case+https:+HttpsURLConnection+⇒
++++++++++++++++val+cSsl+=+ctxSsl+match+{
++++++++++++++++++++case+None+⇒
++++++++++++++++++++++++val+res+=+createCtxSsl(ctx)
++++++++++++++++++++++++ctxSsl+=+Some(res)
++++++++++++++++++++++++res
++++++++++++++++++++case+Some(c)+⇒+c
++++++++++++++++}
++++++++++++++++https.setSSLSocketFactory(cSsl.getSocketFactory)
++++++++++++case+_+⇒
++++++++}
++++}

++++def+noSecurity(url:+HttpURLConnection)+{
++++++++url+match+{
++++++++++++case+https:+HttpsURLConnection+⇒
++++++++++++++++https.setHostnameVerifier(new+HostnameVerifier+{
++++++++++++++++++++override+def+verify(hostname:+String,+session:+SSLSession)+=+true
++++++++++++++++})
++++++++++++case+_+⇒
++++++++}
++++}
}|code-block|syntax|javascript|613292|下面是连接代码：|613293|def+connect(securize:+HttpURLConnection+⇒+Unit)+{
++++val+conn+=+url.openConnection().asInstanceOf[HttpURLConnection]
++++securize(conn)
++++conn.connect();
++++....
}

try+{
++++connect(Security.prepare)
}+catch+{
++++case+ex:+SSLHandshakeException+/*if+ex.getMessage+!=+null+&&+ex.getMessage.contains("Trust+anchor+for+certification+path+not+found")*/+⇒
++++++++connect(Security.noSecurity)
}|613294|基本上，我设置为信任我的自定义证书。如果失败，我将禁用安全性。这不是最好的选择，但我知道的唯一的选择，旧的和有漏洞的手机。|613295|这个示例代码，可以很容易地翻译成Java。|613296|entityMap^0|I|1D|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|W|8|@$9|X|A|Y|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|Z|8|@]|D|@]|E|$]]|$1|H|3|I|5|J|7|10|8|@]|D|@]|E|$K|L]]|$1|M|3|N|5|6|7|11|8|@]|D|@]|E|$]]|$1|O|3|P|5|J|7|12|8|@]|D|@]|E|$K|L]]|$1|Q|3|R|5|6|7|13|8|@]|D|@]|E|$]]|$1|S|3|T|5|6|7|14|8|@]|D|@]|E|$]]|$1|U|3|-4|5|6|7|15|8|@]|D|@]|E|$]]]|V|$]]

In Gingerbread phones, I always get this error: <code>Trust Anchor not found for Android SSL Connection</code>, even if I setup to rely on my certificate.

Here is the code I use (in Scala language):

<pre><code>object Security {
 private def createCtxSsl(ctx: Context) = {
 val cer = {
 val is = ctx.getAssets.open("mycertificate.crt")
 try
 CertificateFactory.getInstance("X.509").generateCertificate(is)
 finally
 is.close()
 }
 val key = KeyStore.getInstance(KeyStore.getDefaultType)
 key.load(null, null)
 key.setCertificateEntry("ca", cer)

 val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm)
 tmf.init(key)

 val c = SSLContext.getInstance("TLS")
 c.init(null, tmf.getTrustManagers, null)
 c
 }

 def prepare(url: HttpURLConnection)(implicit ctx: Context) {
 url match {
 case https: HttpsURLConnection ⇒
 val cSsl = ctxSsl match {
 case None ⇒
 val res = createCtxSsl(ctx)
 ctxSsl = Some(res)
 res
 case Some(c) ⇒ c
 }
 https.setSSLSocketFactory(cSsl.getSocketFactory)
 case _ ⇒
 }
 }

 def noSecurity(url: HttpURLConnection) {
 url match {
 case https: HttpsURLConnection ⇒
 https.setHostnameVerifier(new HostnameVerifier {
 override def verify(hostname: String, session: SSLSession) = true
 })
 case _ ⇒
 }
 }
}
</code></pre>

and here is the connection code:

<pre><code>def connect(securize: HttpURLConnection ⇒ Unit) {
 val conn = url.openConnection().asInstanceOf[HttpURLConnection]
 securize(conn)
 conn.connect();
 ....
}

try {
 connect(Security.prepare)
} catch {
 case ex: SSLHandshakeException /*if ex.getMessage != null &amp;&amp; ex.getMessage.contains("Trust anchor for certification path not found")*/ ⇒
 connect(Security.noSecurity)
}
</code></pre>

Basically, I setup to trust on my custom certificate. If that fails, then I disable security. This is not the best option, but the only choice I know with old and buggy phones.

This sample code, can be easily translated into Java.

blocks|key|613355|text|我也有同样的问题，我发现我提供的证书.crt文件缺少一个中间证书。所以我从我的服务器管理员那里询问了所有的.crt文件，然后以相反的顺序将它们连接起来。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|613356|例如。1.+Root.crt+2.+Inter.crt+3.+myCrt.crt|613357|在windows中，我执行了copy+Inter.crt+%2B+Root.crt+newCertificate.crt|613358|(这里我忽略了myCrt.crt)|613359|然后，我通过inputstream将newCertificate.crt文件转换成代码。工作完成了。|613360|entityMap^0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|M|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|N|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|O|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|P|8|@]|9|@]|A|$]]|$1|J|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|K|$]]

I had the same problem what i found was that the certificate .crt file i provided missing an intermediate certificate. So I asked all .crt files from my server admin, then concatinated them in reverse order.

Ex.
1. Root.crt
2. Inter.crt
3. myCrt.crt

in windows i executed
copy Inter.crt + Root.crt newCertificate.crt

(Here i ignored myCrt.crt)

Then i provided newCertificate.crt file into code via inputstream.
Work done.

blocks|key|613367|text|**Set+proper+alias+name**
CertificateFactory+certificateFactory+=+CertificateFactory.getInstance("X.509","BC");
++++++++++++X509Certificate+cert+=+(X509Certificate)+certificateFactory.generateCertificate(derInputStream);
++++++++++++String+alias+=+cert.getSubjectX500Principal().getName();
KeyStore+trustStore+=+KeyStore.getInstance(KeyStore.getDefaultType());
++++++++++++trustStore.load(null);
trustStore.setCertificateEntry(alias,+cert);|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|613368|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code>**Set proper alias name**
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509","BC");
 X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(derInputStream);
 String alias = cert.getSubjectX500Principal().getName();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
 trustStore.load(null);
trustStore.setCertificateEntry(alias, cert);
</code></pre>

blocks|key|828665|text|您可以在运行时信任特定的证书。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|828666|只需从服务器下载它，放入资产，然后使用ssl-utils-android加载|offset|length|828667|OkHttpClient+client+=+new+OkHttpClient();
SSLContext+sslContext+=+SslUtils.getSslContextForCertificateFile(context,+"BPClass2RootCA-sha2.cer");
client.setSslSocketFactory(sslContext.getSocketFactory());|code-block|syntax|javascript|828668|在上面的示例中，我使用的是OkHttpClient，但是SSLContext可以与Java中的任何客户端一起使用。|style|CODE|828669|如果您有任何问题，请随时提出。我是这个小图书馆的作者。|828670|entityMap|0|LINK|mutability|MUTABLE|url|https://github.com/mklimek/ssl-utils-android^0|0|J|H|0|0|0|D|C|S|A|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Z|8|@]|9|@$D|10|E|11|1|12]]|A|$]]|$1|F|3|G|5|H|7|13|8|@]|9|@]|A|$I|J]]|$1|K|3|L|5|6|7|14|8|@$D|15|E|16|M|N]|$D|17|E|18|M|N]]|9|@]|A|$]]|$1|O|3|P|5|6|7|19|8|@]|9|@]|A|$]]|$1|Q|3|-4|5|6|7|1A|8|@]|9|@]|A|$]]]|R|$S|$5|T|U|V|A|$W|X]]]]

You can trust particular certificate at runtime. 
Just download it from server, put in assets and load like this using <a href="https://github.com/mklimek/ssl-utils-android" rel="noreferrer">ssl-utils-android</a>:

<pre><code>OkHttpClient client = new OkHttpClient();
SSLContext sslContext = SslUtils.getSslContextForCertificateFile(context, "BPClass2RootCA-sha2.cer");
client.setSslSocketFactory(sslContext.getSocketFactory());
</code></pre>

In the example above I used <code>OkHttpClient</code> but <code>SSLContext</code> can be used with any client in Java.

If you have any questions feel free to ask. I'm the author of this small library.

blocks|key|613502|text|在我的例子中，这是在更新到Android+8.0之后发生的。Android使用签名算法SHA1withRSA设置为信任的自签名证书。切换到新的证书，使用签名算法SHA256withRSA修复了这个问题。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|613503|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|D|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|E|8|@]|9|@]|A|$]]]|C|$]]

In my case this was happening after update to Android 8.0. The self-signed certificate Android was set to trust was using signature algorithm SHA1withRSA. Switching to a new cert, using signature algorithm SHA256withRSA fixed the problem.

blocks|key|828788|text|发生信任锚错误的原因有很多。对我来说，这仅仅是因为我试图访问https://example.com/，而不是https://www.example.com/。|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|828789|因此，您可能希望在开始构建自己的信任管理器之前仔细检查您的URL(就像我一样)。|828790|entityMap^0|U|K|1I|O|0|0^^$0|@$1|2|3|4|5|6|7|J|8|@$9|K|A|L|B|C]|$9|M|A|N|B|C]]|D|@]|E|$]]|$1|F|3|G|5|6|7|O|8|@]|D|@]|E|$]]|$1|H|3|-4|5|6|7|P|8|@]|D|@]|E|$]]]|I|$]]

The Trust anchor error can happen for a lot of reasons. For me it was simply that I was trying to access <code>https://example.com/</code> instead of <code>https://www.example.com/</code>.

So you might want to double-check your URLs before starting to build your own Trust Manager (like I did).

blocks|key|828860|text|我知道您不需要信任所有证书，但在我的例子中，我在一些调试环境中遇到了问题，在这些环境中，我们有自签名证书，我需要一个脏的解决方案。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|828861|我所要做的就是更改sslContext的初始化|offset|length|style|CODE|828862|mySSLContext.init(null,+trustAllCerts,+null);+|code-block|syntax|javascript|828863|trustAllCerts是这样创建的：|828864|private+final+TrustManager[]+trustAllCerts=+new+TrustManager[]+{+new+X509TrustManager()+{
++++public+java.security.cert.X509Certificate[]+getAcceptedIssuers()+{
++++++++return+new+java.security.cert.X509Certificate[]{};
++++}

++++public+void+checkClientTrusted(X509Certificate[]+chain,
+++++++++++++++++++++++++++++++++++String+authType)+throws+CertificateException+{
++++}

++++public+void+checkServerTrusted(X509Certificate[]+chain,
+++++++++++++++++++++++++++++++++++String+authType)+throws+CertificateException+{
++++}
}+};|828865|希望这能派上用场。|828866|entityMap^0|0|9|A|0|0|0|D|0|0|0^^$0|@$1|2|3|4|5|6|7|U|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|V|8|@$D|W|E|X|F|G]]|9|@]|A|$]]|$1|H|3|I|5|J|7|Y|8|@]|9|@]|A|$K|L]]|$1|M|3|N|5|6|7|Z|8|@$D|10|E|11|F|G]]|9|@]|A|$]]|$1|O|3|P|5|J|7|12|8|@]|9|@]|A|$K|L]]|$1|Q|3|R|5|6|7|13|8|@]|9|@]|A|$]]|$1|S|3|-4|5|6|7|14|8|@]|9|@]|A|$]]]|T|$]]

I know that you don't need to trust all certificates but in my case I had problems with some debugging environments where we had self-signed certificates and I needed a dirty solution. 

All I had to do was to change the initialization of the <code>sslContext</code>

<pre><code>mySSLContext.init(null, trustAllCerts, null); 
</code></pre>

where <code>trustAllCerts</code> was created like this:

<pre><code>private final TrustManager[] trustAllCerts= new TrustManager[] { new X509TrustManager() {
 public java.security.cert.X509Certificate[] getAcceptedIssuers() {
 return new java.security.cert.X509Certificate[]{};
 }

 public void checkClientTrusted(X509Certificate[] chain,
 String authType) throws CertificateException {
 }

 public void checkServerTrusted(X509Certificate[] chain,
 String authType) throws CertificateException {
 }
} };
</code></pre>

Hope that this will come in handy.

blocks|key|828920|text|我知道这是一篇很老的文章，但我是在尝试解决我的信任锚问题时看到这篇文章的。我已经发布了我是如何修复它的。如果您预先安装了根CA，则需要将配置添加到清单中。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|828921|https://stackoverflow.com/a/60102517/114265|offset|length|828922|entityMap|0|LINK|mutability|MUTABLE|url^0|0|0|17|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@$D|O|E|P|1|Q]]|A|$]]|$1|F|3|-4|5|6|7|R|8|@]|9|@]|A|$]]]|G|$H|$5|I|J|K|A|$L|C]]]]

I know this is a very old article, but I came across this article when trying to solve my trust anchor issues. I have posted how I fixed it. If you have pre-installed your Root CA you need to add a configuration to the manifest.

<a href="https://stackoverflow.com/a/60102517/114265">https://stackoverflow.com/a/60102517/114265</a>

blocks|key|828980|text|有时，当管理员不正确地设置证书时，会发生这种情况。在https://www.sslshopper.com/ssl-checker.html中检查URL|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|828981|在我的例子中，有一个错误|828982|并非所有web浏览器都信任该证书。您可能需要安装中间/链证书，才能将其链接到受信任的根证书。了解有关此错误的更多信息。您可以按照GlobalSign针对您的服务器平台的证书安装说明来修复此问题。请注意有关中间证书的部分。|828983|entityMap|0|LINK|mutability|MUTABLE|url|https://www.sslshopper.com/ssl-checker.html^0|Q|17|0|0|0|0^^$0|@$1|2|3|4|5|6|7|P|8|@]|9|@$A|Q|B|R|1|S]]|C|$]]|$1|D|3|E|5|6|7|T|8|@]|9|@]|C|$]]|$1|F|3|G|5|6|7|U|8|@]|9|@]|C|$]]|$1|H|3|-4|5|6|7|V|8|@]|9|@]|C|$]]]|I|$J|$5|K|L|M|C|$N|O]]]]

Sometimes it happens when admins setup the certificate incorrectly
Check URL here
<a href="https://www.sslshopper.com/ssl-checker.html" rel="nofollow noreferrer">https://www.sslshopper.com/ssl-checker.html</a>
In my case, there was an error
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GlobalSign's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

blocks|key|613843|text|我通过改变解决了我的问题|type|unstyled|depth|inlineStyleRanges|entityRanges|data|613844|https://example.com/|code-block|syntax|javascript|613845|至|613846|http://example.com/|613847|因为服务器没有SSL证书。|613848|因此，请检查服务器的url并进行相应的更改|613849|entityMap^0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|R|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|S|8|@]|9|@]|A|$]]|$1|I|3|J|5|D|7|T|8|@]|9|@]|A|$E|F]]|$1|K|3|L|5|6|7|U|8|@]|9|@]|A|$]]|$1|M|3|N|5|6|7|V|8|@]|9|@]|A|$]]|$1|O|3|-4|5|6|7|W|8|@]|9|@]|A|$]]]|P|$]]

I solved my problem by changing
<pre><code>https://example.com/
</code></pre>
to
<pre><code>http://example.com/
</code></pre>
as the server did not have SSL certificate.
so, check your server's url and chnage accordingly

blocks|key|829247|text|像下面这样的陈词滥调:+var+httpClient+=+new+HttpClient(new+System.Net.Http.HttpClientHandler())；|type|unstyled|depth|inlineStyleRanges|entityRanges|data|829248|将https更改为http|829249|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

Relpcae your clicent Like below
var httpClient = new HttpClient(new System.Net.Http.HttpClientHandler());
Change https to http

I am trying to connect to an IIS6 box running a godaddy 256bit SSL cert, and I am getting the error :
<pre><code>java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
</code></pre>
Been trying to determine what could be causing that, but drawing blanks right now.
Here is how I am connecting :
<pre class="lang-java prettyprint-override"><code>HttpsURLConnection conn; 
conn = (HttpsURLConnection) (new URL(mURL)).openConnection();
conn.setConnectTimeout(20000);
conn.setDoInput(true);
conn.setDoOutput(true);
conn.connect();
String tempString = toString(conn.getInputStream());
</code></pre>

Trust Anchor not found for Android SSL Connection

服务器

Android

Java

我正在尝试连接到运行GoDady256bitSSL证书的IIS6机器，但收到错误消息：java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.一直在努力找出可能的原因，但现在什么都没查到。下...

问找不到Android SSL连接的信任锚点
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问找不到Android SSL连接的信任锚点EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问找不到Android SSL连接的信任锚点
EN