Tiny Tiny RSS: Community

[SOLVED] CertPathValidatorException for LetsEncrypt

Own host with valid LetsEncryptCert,

in Chrome all fine

in Byed AndroidApp:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

nginx.{domain}.conf:
ssl_certificate /etc/letsencrypt/{domain}/{domain}.crt;
ssl_certificate_key /etc/letsencrypt/{domain}/{domain}.key;
ssl_trusted_certificate /etc/letsencrypt/{domain}/fullchain.crt;
// dnt work too
// ssl_trusted_certificate /etc/letsencrypt/{domain}/chain.crt;

nginx.ssl_params:
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384”;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 10s;

ttrss.log:

05-14 04:06:47.242 26127 26153 W System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:236)
05-14 04:06:47.242 26127 26153 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
05-14 04:06:47.240 26127 26153 E CONSCRYPT: d5 43 07 eb 0b 02 03 01 00 01
05-14 04:06:47.240 26127 26153 E CONSCRYPT: d3 19 … 08 23
… … …
05-14 04:06:47.240 26127 26153 E CONSCRYPT: 30 82 … 00 03
05-14 04:06:47.240 26127 26153 E CONSCRYPT:
05-14 04:06:47.240 26127 26153 E CONSCRYPT: Public key:
05-14 04:06:47.214 26127 26153 E CONSCRYPT: Signature: 7f4 … a35
05-14 04:06:47.213 26127 26153 E CONSCRYPT: Sig ALG name: SHA256withRSA
05-14 04:06:47.213 26127 26153 E CONSCRYPT: Get not after: Wed Aug 12 02:15:41 GMT+03:00 2020
05-14 04:06:47.213 26127 26153 E CONSCRYPT: Get not before: Thu May 14 02:15:41 GMT+03:00 2020
05-14 04:06:47.201 26127 26153 E CONSCRYPT: IssuerDN: CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US
05-14 04:06:47.201 26127 26153 E CONSCRYPT: SubjectDN: CN={domain}
05-14 04:06:47.201 26127 26153 E CONSCRYPT: Serial Number: 4c50d98f4afd5cb35a152d40e6a885b7ba4
05-14 04:06:47.201 26127 26153 E CONSCRYPT: SubjectKeyIdentifier: 41604142c7b84d1cc3d470fe432af7dc1f47ba53efa482f
05-14 04:06:47.201 26127 26153 E CONSCRYPT: AuthorityKeyIdentifier: 41830168014a84a6a63047dddbae6d139b7a64565eff3a8eca1
05-14 04:06:47.201 26127 26153 E CONSCRYPT: Version: 3
05-14 04:06:47.201 26127 26153 E CONSCRYPT: == Chain0 ==
05-14 04:06:47.201 26127 26153 E CONSCRYPT: ------------------Untrusted chain: ----------------------
05-14 04:06:46.979 26127 26127 D InputMethodManager: startInputInner - Id : 0
05-14 04:06:46.979 26127 26127 V InputMethodManager: Starting input: tba=org.fox.ttrss ic=null mNaviBarColor -855310 mIsGetNaviBarColorSuccess true , NavVisible : true , NavTrans : false

  1. This is not a TT-RSS issue. This is a web stack issue and you should be posting this on a different forum. Notwithstanding that a simple Google search turns up countless results on resolving the issue.

  2. The error is literally in the logs you posted (you used a portion of this for the title of your thread). Here is the appropriate section:

  1. Get rid of that ssl_trusted_certificate part, it doesn’t do what you think it does.

  2. Run something like this from a shell: cat cert.pem intermediate.pem > chain.pem then use that chain for ssl_certificate.

  3. There are several Let’s Encrypt utilities out there that will basically do all this for you, automatically.

Lastly, welcome to the forum. Please stay on topic in the future.

Oh, thnx!

changed in nginx.{domain}.conf:

ssl_certificate /etc/letsencrypt/{domain}/fullchain.crt;;
ssl_certificate_key /etc/letsencrypt/{domain}/{domain}.key;
ssl_trusted_certificate /etc/letsencrypt/{domain}/chain.crt;

// before tt-rss changed lib all works fine…