使用有效的Namecheap证书保护WebSocket - CertPathValidatorException:未找到证书路径的信任锚

时间:2015-02-17 07:46:16

标签: java android websocket ssl-certificate

我从namecheap.com为我的域名neelo.de购买了有效的通配符证书。现在我尝试通过Android的WSS连接,我总是得到“javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:找不到证书路径的信任锚。”。但我不知道为什么。该证书不是自签名的,我从谷歌的https://developer.android.com/training/articles/security-ssl.html

读取了这些文档

但是这些问题只能使用自签名证书进行调用。我尝试使用nodejs,它工作正常:

WebSocket = require "ws"
ws = new WebSocket("wws://api.neelo.de")

ws.on "open", -> console.log "OPEN"
ws.on "close", -> console.log "CLOSE"
ws.on "error", (err) -> console.log err
ws.on "message", (data) -> console.log data

这是我加载密钥库的android代码:

public WebSocketClient(Context context) throws Exception {
    super(new URI("wss://api.neelo.de"), new Draft_76());
    this.context = context;
    this.messageReceiver = messageReceiver;
    configureKeyStore();
  }

  void configureKeyStore() throws Exception {
    Log.d(TAG, "Configure key store");

    KeyStore ks = KeyStore.getInstance(STORE_TYPE);
    InputStream in = getContext().getResources().openRawResource(R.raw.android_keystore);

    ks.load(in, STORE_PASSWORD.toCharArray());
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    kmf.init(ks, STORE_PASSWORD.toCharArray());
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

    SSLSocketFactory factory = sslContext.getSocketFactory();

    super.setSocket(factory.createSocket());
    }

有人有想法吗?感谢帮助!这个问题花了我3天......

1 个答案:

答案 0 :(得分:0)

  

现在我尝试通过Android的WSS连接,我总是得到javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

我相信你有三个选择。

首先,在Android设备上安装Namecheap使用的root。不幸的是,I can't find the download page for their root ca。他们是在转售另一个人吗?

其次,使用预装了root的CA的通配符证书。为此,我建议Startcom。他们的CA是大多数移动和桌面浏览器预安装和信任的。我推荐他们,因为他们提供免费的1级证书(如果需要,他们会收取撤销费用。)

第三,使用自定义信任存储。例如,请参阅Using a Custom Certificate Trust Store on Android