I installed a new PositiveSSL certificate from Comodo on a Windows Server 2008 R2 computer. I successfully connected from the following clients
- Chrome for Windows
- Chrome for Android
- Firefox for Windows
- Internet Explorer
- Vivaldi for Windows
- Opera for Windows (both HTTPS and IMAP)
- Remote Desktop Connection for Windows
to the following servers
- Apache with mod_ssl
- Remote Desktop Services
- MDaemon
However, when I use K-9 Mail for Android to connect to MDaemon, I get the error
java.security.cert.CertPathValidatorException: Trust Anchor for certificate path not found
I assume that Chrome and K-9 behave differently on the same phone because Chrome for Android ships its own Root CA store and doesn't rely on the Android OS Root CA store, or at least has different trust validation logic.
The certificates I installed came directly from the ZIP file that Comodo emailed to me:
AddTrustExternalCARoot.crt (this is the root CA)
COMODORSAAddTrustCA.crt (this is a higher-level intermediate CA)
COMODORSADomainValidationSecureServerCA.crt (this is a lower-level intermediate CA)
www_myserver_com.crt (this is my server's cert)
When I installed these into the Windows Certificate Store for RDP and MDaemon to use, I converted these certs into a PKCS12 file using
cat "./www_myserver_com.crt" "./COMODORSADomainValidationSecureServerCA.crt" "./COMODORSAAddTrustCA.crt" "AddTrustExternalCARoot.crt" > "./fullchain.crt"
openssl pkcs12 -in "./fullchain.crt" -inkey "./www_myserver_com.key" -out "./fullchain.pfx" -export
and then imported the PFX file into the Certificates MMC Snap-In for the Computer Account using the automatic store destination. I selected the new cert in MDaemon's Security Settings dialog under SSL & TLS > MDaemon and hit Restart Servers. Using OpenSSL, I can see that the correct certificate is being served along with intermediate certs.
C:\>openssl s_client -connect myserver.com:993
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN
= COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.myserver.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.myserver.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Dom
ain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Dom
ain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Cer
tification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MII..8hg==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.myserver.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA D
omain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3401 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: F04A0000068E4DC91357783440DA44EEB39DA3C813C3C646EBCE29DDD3E8C139
Session-ID-ctx:
Master-Key: FF3D72A03F1F93686AC6EAB38198036C7AF1780250ED3F510A83CE6DC166778F
A726DBC2AA4ED6C5277A0969D175E419
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1495135778
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I looked at the certificate chain in Android and whether the root CA was in Android's CA store.
Here is the expected full certificate chain. The names below are Common Names (CN).
AddTrust External CA Root
└─COMODO RSA Certification Authority
└─COMODO RSA Domain Validation Secure Server CA
└─www.myserver.com
I saw that the AddTrust External CA Root did exist in the Android certificate store with the correct thumbprint.
Why is K-9 Mail throwing the error stating that there is no path from my server's TLS certificate to a trusted root CA?