Upgrade StorageWebDAV setup problem: Trust anchor for certification path not found.
Hi,
cc @dstillman
I was eager to finally download my own Zotero Android Beta build /1.0.0.-118, android 34) and jumped right away to setup my own WebDAV storage.
I got the storage up on a MacMini with WebDAVNav as the WebDAV implementation. The server access is configured to use Digest Authentication and HTTPS with a purchased star-certificate (*.mydomain.fi).
The WebDAV access works fine from an iPad, iPhone and laptop both via my internal network and via public Internet when I open up a specific port on my Internet-firewall.
HOWEVER, I can not get the access working from the Zotero Android app as I get the error message "Trust anchor for certification path not found" when I try to verify the server (Libraries>Settings>Account>Verify Server). The exact same WebDAV settings work fine on an iPad and iPhone.
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/ejd7zw0xtsfgcoagrzw0.png
I understand the same issue has been previously discussed and also solved (https://forums.zotero.org/discussion/117569/android-solved-webdav-) when Let's Encrypt certificate was being used. My case may be slightly different though. Here's my SSL certificate configuration/chain:
#1 Root CA: Comodo CA Limited: AAA Certificate Services
#2 ICA1: The USERTRUST Network: USERTrust RSA Certification Authority
#3 ICA2: Sectigo Limited: Sectigo RSA Domain Validation Secure Server CA
#4 My certificate: *.mydomain.fi
The #1 certificate is preinstalled in the Android by the system/device manufacturer (in my case HMD).
The #2 and #3 certificates I have uploaded in the device as user certificates and both are valid (acquired from SSL issued Sectigo Ltd) and show correct validation chain in the device.
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/7jgd69cbohc941trmk7d.png
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/zxicaq1b00v7z2nhx76w.png
I have also uploaded user credentials on the Android device as VPN and apps credentials including
1. user (private) key
2. user certificate
3. 1 CA certificate (Sectigo RSA Domain)
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/43prs8tej27i8b5feb4b.png
In this case the user key is the private key I generated specifically on the MacMini (terminal) for the creation of the SSL star-certificate and the user certificate is the commercial SSL-certificate validated by Sectigo RSA. These two match each other and work perfectly in an other server I use for hosting another web server under the same domain.
I tested the setup also with my Android Chrome browser. Navigating to my WebDAV site with https-address works fine as can be seen on the screenshot below.
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/t24gmu1nbi4fiq6j4zu6.png
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/5a0do699tzpuafk0j1oe.png
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/la2d7pwjrxku7092rchc.png
My question is: Why can't the Zotero app verify my WebDAV server instance even if the certificate chain is correct in the Android and presumably all my user certs are uploaded correctly? Anyway access to my WebDAV storage works fine with the Android Chrome browser. Could the problem lie in the fact that there are two ICA's in the chain?
wbr,
Tatu
cc @dstillman
I was eager to finally download my own Zotero Android Beta build /1.0.0.-118, android 34) and jumped right away to setup my own WebDAV storage.
I got the storage up on a MacMini with WebDAVNav as the WebDAV implementation. The server access is configured to use Digest Authentication and HTTPS with a purchased star-certificate (*.mydomain.fi).
The WebDAV access works fine from an iPad, iPhone and laptop both via my internal network and via public Internet when I open up a specific port on my Internet-firewall.
HOWEVER, I can not get the access working from the Zotero Android app as I get the error message "Trust anchor for certification path not found" when I try to verify the server (Libraries>Settings>Account>Verify Server). The exact same WebDAV settings work fine on an iPad and iPhone.
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/ejd7zw0xtsfgcoagrzw0.png
I understand the same issue has been previously discussed and also solved (https://forums.zotero.org/discussion/117569/android-solved-webdav-) when Let's Encrypt certificate was being used. My case may be slightly different though. Here's my SSL certificate configuration/chain:
#1 Root CA: Comodo CA Limited: AAA Certificate Services
#2 ICA1: The USERTRUST Network: USERTrust RSA Certification Authority
#3 ICA2: Sectigo Limited: Sectigo RSA Domain Validation Secure Server CA
#4 My certificate: *.mydomain.fi
The #1 certificate is preinstalled in the Android by the system/device manufacturer (in my case HMD).
The #2 and #3 certificates I have uploaded in the device as user certificates and both are valid (acquired from SSL issued Sectigo Ltd) and show correct validation chain in the device.
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/7jgd69cbohc941trmk7d.png
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/zxicaq1b00v7z2nhx76w.png
I have also uploaded user credentials on the Android device as VPN and apps credentials including
1. user (private) key
2. user certificate
3. 1 CA certificate (Sectigo RSA Domain)
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/43prs8tej27i8b5feb4b.png
In this case the user key is the private key I generated specifically on the MacMini (terminal) for the creation of the SSL star-certificate and the user certificate is the commercial SSL-certificate validated by Sectigo RSA. These two match each other and work perfectly in an other server I use for hosting another web server under the same domain.
I tested the setup also with my Android Chrome browser. Navigating to my WebDAV site with https-address works fine as can be seen on the screenshot below.
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/t24gmu1nbi4fiq6j4zu6.png
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/5a0do699tzpuafk0j1oe.png
https://s3.amazonaws.com/zotero.org/images/forums/u7903535/la2d7pwjrxku7092rchc.png
My question is: Why can't the Zotero app verify my WebDAV server instance even if the certificate chain is correct in the Android and presumably all my user certs are uploaded correctly? Anyway access to my WebDAV storage works fine with the Android Chrome browser. Could the problem lie in the fact that there are two ICA's in the chain?
wbr,
Tatu
If this is a publicly accessible server, you should test it with SSL Labs and make sure there are no chain issues.