[SOLVED] CertPathValidatorException for LetsEncrypt

Tiny Tiny RSS Support
1

Own host with valid LetsEncryptCert,

in Chrome all fine

in Byed AndroidApp:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

nginx.{domain}.conf:
ssl_certificate /etc/letsencrypt/{domain}/{domain}.crt;
ssl_certificate_key /etc/letsencrypt/{domain}/{domain}.key;
ssl_trusted_certificate /etc/letsencrypt/{domain}/fullchain.crt;
// dnt work too
// ssl_trusted_certificate /etc/letsencrypt/{domain}/chain.crt;

nginx.ssl_params:
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384”;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 10s;

ttrss.log:

05-14 04:06:47.242 26127 26153 W System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:236)
05-14 04:06:47.242 26127 26153 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
05-14 04:06:47.240 26127 26153 E CONSCRYPT: d5 43 07 eb 0b 02 03 01 00 01
05-14 04:06:47.240 26127 26153 E CONSCRYPT: d3 19 … 08 23
… … …
05-14 04:06:47.240 26127 26153 E CONSCRYPT: 30 82 … 00 03
05-14 04:06:47.240 26127 26153 E CONSCRYPT:
05-14 04:06:47.240 26127 26153 E CONSCRYPT: Public key:
05-14 04:06:47.214 26127 26153 E CONSCRYPT: Signature: 7f4 … a35
05-14 04:06:47.213 26127 26153 E CONSCRYPT: Sig ALG name: SHA256withRSA
05-14 04:06:47.213 26127 26153 E CONSCRYPT: Get not after: Wed Aug 12 02:15:41 GMT+03:00 2020
05-14 04:06:47.213 26127 26153 E CONSCRYPT: Get not before: Thu May 14 02:15:41 GMT+03:00 2020
05-14 04:06:47.201 26127 26153 E CONSCRYPT: IssuerDN: CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US
05-14 04:06:47.201 26127 26153 E CONSCRYPT: SubjectDN: CN={domain}
05-14 04:06:47.201 26127 26153 E CONSCRYPT: Serial Number: 4c50d98f4afd5cb35a152d40e6a885b7ba4
05-14 04:06:47.201 26127 26153 E CONSCRYPT: SubjectKeyIdentifier: 41604142c7b84d1cc3d470fe432af7dc1f47ba53efa482f
05-14 04:06:47.201 26127 26153 E CONSCRYPT: AuthorityKeyIdentifier: 41830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1
05-14 04:06:47.201 26127 26153 E CONSCRYPT: Version: 3
05-14 04:06:47.201 26127 26153 E CONSCRYPT: == Chain0 ==
05-14 04:06:47.201 26127 26153 E CONSCRYPT: ------------------Untrusted chain: ----------------------
05-14 04:06:46.979 26127 26127 D InputMethodManager: startInputInner - Id : 0
05-14 04:06:46.979 26127 26127 V InputMethodManager: Starting input: tba=org.fox.ttrss ic=null mNaviBarColor -855310 mIsGetNaviBarColorSuccess true , NavVisible : true , NavTrans : false

2

  1. This is not a TT-RSS issue. This is a web stack issue and you should be posting this on a different forum. Notwithstanding that a simple Google search turns up countless results on resolving the issue.

  2. The error is literally in the logs you posted (you used a portion of this for the title of your thread). Here is the appropriate section:

  1. Get rid of that ssl_trusted_certificate part, it doesn’t do what you think it does.

  2. Run something like this from a shell: cat cert.pem intermediate.pem > chain.pem then use that chain for ssl_certificate.

  3. There are several Let’s Encrypt utilities out there that will basically do all this for you, automatically.

Lastly, welcome to the forum. Please stay on topic in the future.

3

Oh, thnx!

changed in nginx.{domain}.conf:

ssl_certificate /etc/letsencrypt/{domain}/fullchain.crt;;
ssl_certificate_key /etc/letsencrypt/{domain}/{domain}.key;
ssl_trusted_certificate /etc/letsencrypt/{domain}/chain.crt;

// before tt-rss changed lib all works fine…