我运行openssl s_client -connect mywishboard.com:443 | openssl x509 -noout -subject -issuer
我得到以下有关证书的信息(由客户端开发人员设置)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = StartCom Certification Authority, CN = StartCom Class 1 DV Server CA
verify return:1
depth=0 CN = mywishboard.com
verify return:1
subject= /CN=mywishboard.com
issuer= /C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
然后我检查Settings/system/trusted certificats,发现 StartCom Ltd 就在其中
但是,当我尝试发出 https 请求时,它们会抛出
javax.net.ssl.SSLHandshakeException:
java.security.cert.CertPathValidatorException:
Trust anchor for certification path not found
如果我使用curl -I https://mywishboard.com/xxx,它会返回
curl: (60) server certificate verification failed. CAfile: /etc/ssl
/certs/ca-certificates.crt CRLfile: none
该证书是否格式错误,或者我需要将其显式安装到 Android 设备?(但据我了解,如果证书是由受信任的 CA 颁发者签名的,那么我不需要安装它,对吗?)
最佳答案
网站does not provide an intermediate certificate这是完成证书链所需的。某些客户端(例如 Android)无法构建完整的证书路径,并且在发生这种情况时不信任该证书。
如果您是网站管理员,解决此问题的正确方法是发送至 download and supply the intermediate certificate以便发送完整的链。
关于android 不信任证书,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36838470/