|
|
|
|
|
When logging in to the Accredo Sales or Accredo Inventory app on an Android device, the following authentication error may occur:
Authentication Error java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
This error is not caused by Accredo. It is returned by Android when the SSL/TLS certificate presented by the server cannot be verified.
Android cannot build a complete chain of trust from the server certificate to a trusted Certificate Authority (CA). This is typically caused by a server or certificate configuration issue.
What the Error Means
Android is reporting that it cannot validate the certificate chain provided by the server. This can occur if:
Unlike Windows or iOS, Android does not automatically download missing intermediate certificates when validating SSL connections. If the server does not present the complete certificate chain, Android will fail the connection.
Most Common Cause
The most common cause of this error is a missing intermediate certificate on the server.
Some platforms automatically retrieve missing intermediate certificates, which can hide the problem. For example:
This means that a server with an incomplete certificate chain may appear to work correctly in browsers or on desktop systems but fail when accessed from Android devices.
Checking the Certificate Chain
If the error occurs, check the following.
Using SSL Labs
You can test the server certificate configuration using the SSL Labs test:
https://www.ssllabs.com/ssltest/
Enter the server name and review the results. If the report shows Chain issues or Incomplete chain, the server is not providing the full certificate chain.
Checking on the Server
On the IIS server hosting the service:
Run mmc.
Select File > Add/Remove Snap-in.
Add Certificates and choose Local Computer.
Check the Intermediate Certification Authorities store. If the intermediate certificate that issued the server certificate is missing, the server may not be presenting the full certificate chain.
Fixing a Missing Intermediate Certificate
If the intermediate certificate is missing, obtain it from your certificate provider (for example DigiCert, GlobalSign, or Let's Encrypt).
Then Import the certificate into Intermediate Certification Authorities on the server and Restart IIS.
Once the intermediate certificate is installed and IIS restarted, the server should present the complete certificate chain.
Certificates Issued by an Internal CA
If the certificate was issued by an internal Certificate Authority (for example Active Directory Certificate Services), Android devices must trust the root certificate used by that CA.
This may require the root CA certificate to be manually installed on Android devices, or the application to be configured to trust user-installed certificates.
Many Android applications do not trust user-installed CAs by default due to Android security restrictions introduced in Android 7 and later.
Client Behaviour
This error cannot be mitigated from the Accredo client. It is generated by Android when the certificate chain provided by the server cannot be trusted.
If this error occurs, the server's SSL/TLS certificate configuration should be reviewed to ensure that the complete and correct certificate chain is being presented.