Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
New Contributor
markmoon
Posts: 6
Registered: ‎06-06-2012
My Device: Blackberry 9930
My Carrier: Verizon

Certificate not trusted

I am getting an error when I got to activate my Android phones. After I enter in my servers url I get an error that says: Certificate not trusted. The security certificate for this server is not trusted. Do you want to continue?

 

I got a SSL cert from Go Daddy and installed it on my Fusion server. I tested my cert using http://www.sslshopper.com/ssl-checker.html and it validaded the SSL cert.

 

My Fusion webserver is in a DMZ and I can browse to www.my-domain.com/ios/mdm/2 on the Android phone's browser without getting any ssl errors. I check in the browser and it is loading the SSL cert correctly.

 

Does anyone have any ideas why I am getting this error? Thanks for your help

 

 

 

 

Please use plain text.
BlackBerry Technical Advisor
-BD-
Posts: 483
Registered: ‎05-15-2008
My Device: Z10
My Carrier: Rogers

Re: Certificate not trusted

I would check your version of Android and see if it includes the root certs for Go Daddy.  I've found that some versions of Android are missing various 3rd party root certificates.

Please use plain text.
Contributor
ts03145692
Posts: 10
Registered: ‎10-03-2012
My Device: No BB
My Carrier: AT&T

Re: Certificate not trusted

Any other reasons why this might be happening?

 

I am having the same problem.  The SSL checker says my certificate is valid.  When I browse to https://mysite.com in my Android's browser and view the certificate it says the certificate is valid, leading me to believe that the certificate root is on the phone and that the certificate is correct.

 

But when I enter mysite.com into the Mobile Fusion app I get the warning saying the certificate is not trusted.

Please use plain text.
Forums Advisor I
oliwer
Posts: 581
Registered: ‎05-23-2008
My Device: BB10 and WiFi PB
My Carrier: .

Re: Certificate not trusted

I do not know an overview of which root CAs are trusted by Android devices (there are some for Apple devices).
Is the root CA in the trusted certificate list on the device itself?
Please use plain text.
Contributor
ts03145692
Posts: 10
Registered: ‎10-03-2012
My Device: No BB
My Carrier: AT&T

Re: Certificate not trusted

[ Edited ]

As far as I know, the only way to get a list of trusted CA in pre-ICS Android is per device by using ADB to pull the file they are stored in.  See here for more info.  In any case, I'm sure the root CA is on the phone for the following reasons.

 

When I browse to my site using the Android device's browser, I do not get SSL certificate errors and the page info displays the certificate as being valid. 

 

Next, I setup a different domain name to point at my server, thus making the SSL certificate appear to be invalid when browsing to the site using that domain (because the common name on the certificate does not match the site name).  As expected, I received an SSL warning from the Android browser. 

 

Lastly, if I browse to https://mysite.com:8443 I do get an SSL warning stating the Administration Console's self-signed certificate does not come from a trusted authority.

 

Therefore, the root CA must be on my phone, otherwise I would get a SSL warning when browsing to https://mysite.com.

 

Since browsing to https://mysite.com and using the Mobile Fusion app use the same port (443), IIS must be serving the same certificate to both.  Now, that leaves me with confusion when Mobile Fusion tells me the certificate is invalid.  Is there anyway to view the certificate that is presented to the Mobile Fusion app?

 

I'm sure I have something misconfigured in Mobile Fusion or UDS, but I've installed UDS several times now with the same results each time.  Anyone have any thoughts?

Please use plain text.
Forums Advisor I
oliwer
Posts: 581
Registered: ‎05-23-2008
My Device: BB10 and WiFi PB
My Carrier: .

Re: Certificate not trusted

Are you using an internal WiFi for tests?
The reason I ask is the following:
When you install UDS you have to specifiy the Name for the Communication Module (where you "import" the SSL Certificate). this has to be the external (public) DNS name of the Communication Module.

anyway, you should get an error when you try to import the cert and it does not match the name... but you know how it is.
Are you also getting an "not trusted" message or an invalid message (or something else)?
Please use plain text.
Contributor
ts03145692
Posts: 10
Registered: ‎10-03-2012
My Device: No BB
My Carrier: AT&T

Re: Certificate not trusted

[ Edited ]

First, thank you for the input.

 

I am not using WiFi for the tests, and am using my mobile carrier.

 

When I installed UDS I did use the externall accessible domain, I believe.  I registered a domain, let's call it example.info. Then I obtained an SSL certificate for example.info and imported it into IIS.  When installing UDS I use example.info as the name for all modules (they are all on the saem server).

 

Testing in my browser from a computer outside the network that my server is on I get no SSL errors.  In the attached picture, I have browsed to https://example.info and as you can see the SSL certificate is valid.  I get not untrusted or invalid SSL messages when I connect on port 443.  Port 443 is what the Mobile Fusion app uses for communication, right?

 

Valid SSL  EDIT: I don't know the picture won't show.  It is here: http://i.imgur.com/p5zXw.png

 

I did get an odd occurance at times when installing UDS, where it would fail to connect to example.info. To get around this, what I had to do was add example.info to my hosts file on the server and map it to the loopback address.  This is clearly not the way things are supposed to work, but this seems like an unrelated networking issue that I don't see affecting this SSL issue.

 

I'm think I will completely uninstall UDS and then try to install it again.  Since I want to be able to access UDS at example.info, have registered example.info, and have an SSL certificate for example.info, when I enter the "fully qualified domain name" for the Communication module, I should enter example.info.  Is that correct?

 

Thanks for all the help.  Hopefully I will get this sorted out in short order.

 

Please use plain text.
Contributor
ts03145692
Posts: 10
Registered: ‎10-03-2012
My Device: No BB
My Carrier: AT&T

Re: Certificate not trusted

Well I sorted out the UDS installation issue, and determined it is not likely related to the certificate not trusted issue.  The UDS installation issue (having it crash or throw errors if I used the FQDN for the communication and core modules) was because of a misconfigured DNS server.  Traffic from inside our network going to our UDS server was being sent to the wrong place.  UDS now installs as per the instructions without problems.

 

However, my SSL certificate is still not trusted.  I used Wireshark to look at the traffic coming into the server when I try to activate devices and have found that UDS is sending correct SSL certificate to the Mobile Fusion app on the Android phones (my certificate is issued by Comodo and I can see this certificate in the packet capture).  I have also verified that my SSL certificate is correct (by using the SSL checker mentioned in another post above and using multiple PC browsers).  In addition, I know the CA root certificate is installed on the phones (tried multiple phones) because when browsing to my domain, the Android browser says the certificate is valid.

 

I am starting to think this issue is with the Mobile Fusion app.  However, this doesn't seem logical since it is not a widespread problem.  Sadly, I'm running out of ideas and have to ask again if anyone has any??

 

Thanks for all the support so far!

Please use plain text.
Contributor
ts03145692
Posts: 10
Registered: ‎10-03-2012
My Device: No BB
My Carrier: AT&T

Re: Certificate not trusted

Took some screenshots from one the Android phones. They show the UDS warning about the certificate and the certificate as seen from the Android browser.  Assuming the attach image feature wouldn't work for me again, here is a link:

 

imgur.com/a/XEGt6

Please use plain text.