TLS/SSL Cert Issue - java.security.cert.CertPathValidatorException using Android?
Question asked by CCWH - April 4, 2015 at 2:22 AM
Unanswered
Hello all,
 
Unsure if this is related to testing completed over the last 24 hours but....
 
When trying to connect to an IMAP mailbox using an Android (5.0) phone I am receiving the following error:
 

Incoming mail server (IMAP): Invalid security (SSL) certificate. java.security.cert.CertPathValidatorException: Trust Anchor for certificate path not found.

 
I haven't made any changes to the main certificate.
 
After completing a test SSL scan using ssllabs.com it doesn't throw any issues apart from the following (which I cannot remember seeing previously):
 
3 Extra download COMODO RSA Certification Authority 
Fingerprint: f5ad0bcc1ad56cd1507325b1c866c30ad92ef1b0 
RSA 4096 bits (e 65537) / SHA384withRSA
 
I haven't tested any other phones as of yet but using two different email apps produces the same error.
 
The interesting thing is that the ActiveSync account on the phone is working fine.
 
The last sync time on these accounts were yesterday afternoon.  At that time I was making changes to the ClamAV and restarted the SM service a few times.....
 
Also, just to add, if I browse to webmail or mail on the phone it throws up a cert error saying not trusted.....so it definitely looks like something has changed server-side.
 
Any thoughts on this one?

7 Replies

Reply to Thread
0
OK, I am getting nowhere with this!
 
I have noticed that when using SSL Labs scanner it is showing two certificate paths.  I am guessing that this is due to us using a wildcard certificate on two different servers.  We use one for our main website and one for mail.domain.com.  Both on separate servers.  Here's the output on SSL Labs:
 
 
The top one must be the main website as when browsing to www.domain.com on the Android devices the cert on that is coming back just fine.  The main site is hosted on a Centos Apache box.  However, the mail domain (mail.domain.com) is hosted on a 2008 R2 IIS box and that seems to be where this new issue is.....which funnily enough is the box I was using when testing the Clam AV changes yesterday.  I really can't see a link unless it was down to rebooting the server due to the Clam issues.  The server was up for a good while so some cert issue could have reared its head at that point.
 
Any help would be really appreciated.
0
Further update....
 
There is definitely something weird with the certificate chain and cannot fathom what has changed in the last 24 hours.
 
After doing some research it looks like the full cert chain is not being pushed and Android doesn't pull it.  I had to change on the devices STARTTLS (Strict Check) to STARTTLS (Accept Any).
 
After making the change all emails started being pulled down.
 
So, my issue is that even though this isn't the main email server we do still have some clients on it.  Any client with an Android device will get caught with this one.
 
Has anyone seen this before?
0
I have a Samsung Galaxy S5, running Android 5.0, with all of the latest patches, on Sprint, and use SmarterMail's  services for all of the accounts on the phone without any problems.
 
Here are my Android connection settings for both Exchange and IMAP accounts:

IMAP:

  • INCOMING:
     
    • E-Mail address: full e-mail address: bbarnes@chicagonettech.com
    • Username:        full e-mail address: bbarnes@chicagonettech.com
    • Password:        *********** (as assigned to account)
    • Security Type: TLS (remember, SSL is depreciated and no longer used)
    • Port:                 143

       
  • OUTGOING:
     
    • SMTP SERVER: FQDN or server mapped to SSL.  In our case, that's securemail.chicagonettech.com
    • REQUIRE SIGN IN:  checked
    • Security Type: TLS
    • Port:                 587
    • Username:        full e-mail address: bbarnes@chicagonettech.com
    • Password:        *********** (as assigned to account)
       

EXCHANGE:

  • E-Mail address: full e-mail address: bbarnes@chicagonettech.com
  • Domain\username: \bbarnes@chicagonettech.com
  • Password: *********** (as assigned to account)
  • Exchange Server:  FQDN of Exchange server, in our case, securemail.chicagonettech.com
  • Use Secure Connection: CHECKED
    (only option at this time is SSL, but that is working, so I am assuming it is encrypting via TLS, because all of our SSL is disabled.)
 
When I checked your SSL certificate, via both your SmarterMail web interface, and your website, it appears clean.  It does, however, expire in just a few months, on 8 November, 2015:
We're running SmarterMail 13.3.3 with Comodo Positive SSL Wildcard certificates on our SmarterMail, webserver, CRM portal, and webstats server, and have no problems with the cert.  We have the same certificate installed, on multiple servers, for:
If you still have issues, then check:
 
to make certain you properly installed your SSL certificate.  Remember, you must install the certificates via the CERTIFICATE STORE in MMC and then export your wildcard certificate for SmarterMail, per the KB at:
 
 
Here are the instructions to export the SmarterMail certificate from your wildcard certificate (from the KB link above:
  • in MMC, open the certificate tree view
  • expand Personal, and choose certificates.
  • Right click the certificate in which you wish to export -> All Tasks -> Export.
  • A new window will appear, hit next.
  • Select, "Do not export private key’s" -> Next
  • Select the option to save your SmarterMail certificate as a base64 x509 .cer file -> Next
  • Choose a save location such as C:\SmarterMail\Certificates\<SiteName> -
    • Name the certificate - I always name it for the site/server/domain,
    • I usually put the SmarterMail cert into a folder called CERTS in the SmarterMail MMC/
  • click Save.
Now you have to map your ports to the certificate and IP address in SmarterMail
 
If have any problems, or still have issues, open a ticket with SmarterTools or contact one of us for assistance.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks for the reply and info Bruce.
 
Interestingly enough my tests are with an S5 Android 5.0 with the exact settings as you have detailed.  All TLS (587/143).
 
As mentioned, it works fine if when choosing TLS I select TLS (Accept all certificates) but if I select just TLS it fails.
 
If I run SSL Labs it doesn't show any issues.  However, if I check with BlueSSL (https://www.bluessl.com/en/ssltest) it does show an error:
 
There is no trust the certificate. (27) 
The error may be due to the issue of internal CA. 

(no clients will accept this certificate)
 
Here's a couple of screenshots of Android Mail setup/issue:
 
Showing TLS options -
 
Showing Error if 'TLS' is chosen:
1
Your certs, and the SmarterMail server, test really clean!  I retested via SSL Tools, and you got it right.
 
Does anyone else have admin access to the server on which SmarterMail is running?
 
Did your server do a sudden, unauthorized, reboot?  Maybe corrupt a file - namely the SmarterMail cert?
 
I would re-check the exported SmarterMail certificate.
 
I would also check both your server, and, if you are using a hosting center, the center's firewalls.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks.  Clean off the back of most of your work within your document ;-)
 
I have just re-exported the cert and changed the cert path to the new one against the TLS ports within SM.  No change.
 
Thinking about it, as this is not just those ports, it's 443 too via IIS it makes sense that the issue is external to the port binding within SM otherwise the webmail on 443 would not have an issue.
 
Only an emergency admin has access and that is logged.  No access to anyone else and checking the log I am the only one to have accessed the server in a while, certainly since the last reboot.
 
No unexpected reboots showing in the even logs either.
 
I think I will request a re-issue from Comodo for the cert and see if that cures the issue.
 
This could also be down to an issue with the Ciphers maybe.  I might reuse IISCrypt to check those too.  All seems very weird!
 
This is annoying as we are only a few weeks away from fully migrating the email on this server to a 2012 R2 box!  The migration might just be brought forward if this issue continues.
1
 
You need to install both intermediate certificates : 
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt

AddTrustExternalCARoot.crt - Need to import under trusted root authorities

In the Trusted Root Certification Authorities folder (MMC) if there is still the Comodo RSA Certification Authority root certificate, please remove this certificate from the Trusted Root Certification Authorities folder.

And normally your problem is gone.

You can test your domain under : https://sslanalyzer.comodoca.com/?url=www.yourdomain.com

Tell me if it's fixed your issue.

Artionet Web Agency | Director - Strategic Consultant Route de Moutier 109 | CH-2800 Delémont | Switzerland www.artionet.com Website, CMS, e-Commerce, e-Gov, Social News Room

Reply to Thread