Usually the problem is the server is not including the intermediate CA certificate in its chain, the lack of the root CA is not an issue. If the root CA isn't trusted, adding to the server chain isn't going to help.
indeed, there is only the server certificate showing in the server's chain: $ openssl s_client -connect crm.logos.net:443 --- Certificate chain 0 s:/description=Jyxy9NiMHsY03dIv/C=IT/ST=Modena/L=Modena/O=LOGOS S.P.A./CN=crm.logos.net/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA --- compare with the cert.startcom.org site itself: $ openssl s_client -connect cert.startcom.org:443 --- Certificate chain 0 s:/C=IL/ST=HaDarom/L=Eilat/postalCode=88000/street=Ha Sapan 5/O=StartCom Ltd. (Start Commercial Limited)/CN=www.startcom.org/[email protected]/serialNumber=513747303/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=IL i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Extended Validation Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- -bri On Tue, Sep 16, 2014 at 12:26 AM, Sudhakar Bedapudi <[email protected]> wrote: > Thanks for the help Kristian .Let me try the fix. > > On Tue, Sep 16, 2014 at 12:39 PM, Kristian Erik Hermansen > <[email protected]> wrote: >> >> Site is not sending the root CA in the bundle. For many standard web >> browsers, that won't matter, but the Android app / OS may not have the root >> CA in its local CA trust store. So, make sure the server side bundle >> includes the proper certs in the chain to the clients... >> >> -- >> Regards, >> >> Kristian Erik Hermansen >> https://www.linkedin.com/in/kristianhermansen >> >> On Sep 15, 2014 11:54 PM, "Sudhakar Bedapudi" <[email protected]> >> wrote: >>> >>> Thanks for the help. I checked the host at Qualys SSL Labs checker ,and >>> there are warnings represented in Orange color. >>> https://www.ssllabs.com/ssltest/analyze.html?d=crm.logos.net >>> >>> Does it mean the certificate is not valid for Android. >>> >>> On Tue, Sep 16, 2014 at 11:02 AM, Kristian Erik Hermansen >>> <[email protected]> wrote: >>>> >>>> Also probably affects Chrome. Ensure you send the StartCom CA public key >>>> in the server chain bundle if the server is doing it wrong. You can check >>>> that by submitting the domain to the Qualys SSL Labs checker and look for >>>> anything in orange or red (bad server config)... >>>> >>>> -- >>>> Regards, >>>> >>>> Kristian Erik Hermansen >>>> https://www.linkedin.com/in/kristianhermansen >>>> >>>> On Sep 15, 2014 9:33 PM, "Sudhakar Bedapudi" <[email protected]> >>>> wrote: >>>>> >>>>> My android app user is hosting his web server with the SSL certificate >>>>> provided by StartCom. >>>>> >>>>> When he try to access his server from the android app,he is getting the >>>>> following error. >>>>> javax.net.ssl.SSLPeerUnverifiedException no peer certificate. >>>>> >>>>> Are there any issues with StartCom Certificates in Android.please >>>>> update me. >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Android Security Discussions" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To post to this group, send email to >>>>> [email protected]. >>>>> Visit this group at >>>>> http://groups.google.com/group/android-security-discuss. >>>>> For more options, visit https://groups.google.com/d/optout. >>> >>> > > -- > You received this message because you are subscribed to the Google Groups > "Android Security Discussions" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to > [email protected]. > Visit this group at http://groups.google.com/group/android-security-discuss. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
