Reputation: 321
How can I fix the "No certificates found - The app Chrome has requested a certificate" Android / Google Chrome issue
The issue
Some of our website users are encountering an issue when accessing secure areas of our website, on Android devices, in Google Chrome.
It looks like this;
I've been able to replicate the issue on the following devices using Browserstack's physical device testing;
- Samsung Galaxy S6, Samsung Galaxy S5, Samsung Galaxy S4 (Android v5 and v4.4)
- Nexus 6 (Android v6, v5 and v4.4)
- Moto X 2nd Gen (Android v6 and v5)
My research
All the articles, forums and questions that I've read online (and there aren't many, unless I'm searching for the wrong thing) point to server and / or SSL certificate setup and configuration, and that the issue being experienced is by design.
Suggested fix 1
The most useful article I've found so far is Issue 268055 "No Certificates Found" on the chromium issue tracker.
Comment 18 suggests changing SSL settings in IIS;
I can fix the issue if you have access to IIS. Basically you need to go to SSL Settings and make sure Require SSL is unchecked and that "Ignore" is selected for Client Certificates.
Comment 28 backs it up;
For the non-Googler case, this error message only occurs when you encounter a site that requests a client certificate. There's nothing that Chrome can do here - the site has requested a client certificate, and to even know if a client certificate is valid, Chrome for Android has to ask the OS. That's the prompt you're seeing - it's controlled by Android and all apps (Google or otherwise) are required to go through that flow.
This will occur with any site configured to request client certificates, so to resolve this, either don't request client certificates, or configure your Android devices to have client certificates (e.g. via a device management application or via installing a PKCS#12 file).
kamakshi: This is all "By Design" behaviour, but requires server operators to change, so I'm not sure what to do with this bug.
As does comment 43;
I don't think people on this bug would know much about configuring IIS. You'd want to talk with Microsoft about that. From searching around, "Ignore Client Certificate" seems to be the option you want.
We've done that but it doesn't seem to have made a difference.
Suggested fix 2
Another question here on Stack ("certificate trusted on pc but not in android") suggests that an intermediate certificate might be missing;
You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.
I've checked and we have a domain certificate (which isn't a wildcard certificate), an intermediate certificate and a root certificate, so I don't think that's the issue either. I've also run a site checker test on the Networking4all website, and an SSL test on the Qualys SSL website and they both path without errors or warnings.
My question
Has anyone else encountered this issue? Are there any other solutions that we can try to fix it? I'm out of ideas at this point so any advice would be hugely appreciated.
Some extra details just in case
The server the website is on is running Windows Server 2008 R2 and IIS 7.5, and our SSL certificate provider is Thawte.
Thanks in advance!
Upvotes: 32
Views: 74156
Answers (2)
Reputation: 54979
The message and description are not end-user friendly. It may make someone assume that there is a problem with the server identity used for SSL/TLS, but that is not the case.
Although not explicitly stated, this is referring to a client certificate which could be used to authenticate the user -- but may not be required if alternative credentials (username/password) are provided.
This is not necessarily a flaw on the server side -- accepting client certificates may be a desirable. The problem here is that some browsers (often when used for authentication in mobile apps) present this cryptic message for no particular reason (most browsers don't mention it when the client certificate is not present).
If you do, in fact, support optional client certificates, the fix is to instruct your users to either install a client certificate (that they would get from you) -- or to simply 'cancel' and ignore this message every time it appears* (in which case they would then sign in using regular credentials).
*In fact, the user may not need to press 'cancel', as the same effect is achieved just by touching the screen outside of the dialog -- that's how unimportant this dialog is.
Upvotes: 1
Reputation: 38385
Having just resolved this exact same issue, here's what I found...
Server Specs (essentially the same as O.P)
- Windows Server 2008 r2
- IIS 7.5
- SSL Provider: GeoTrust RapidSSL
First Issue: Out of Date Cryptographic Policies
Several articles pointed out the server may have out of date cryptographic policies. A bit of research revealed everything must be configured using registry settings. See the MS Support article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll for detailed information.
Not sure if your sever is up to date? SSL Labs' Server Test is a great tool for validating your site's cryptographic policies.
Manually Edit the Registry?
The MS Support article details editing the registry keys. Aack! A bit more research and I found a great utility called IIS Crypto by Nartac Software that will update all the registry keys in a single click. FYI: a reboot is required as well.
From the Nartac Software site:
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.
Second Issue: Incorrect IIS SSL Site Settings
The root of this issue due to the default of IIS setting the SSL Settings to "Accept" Client certificates. There is no need to accept client certs, so simply set the setting as "Ignore" (from the O.P.'s suggested fix #1 image).
Note: The image shows "Require SSL" is unchecked; for this discussion, whether it is checked is not relevant. All that matters is the site can connect using https.
Wrap Up
Once the server has the cryptographic policies reconfigured and the IIS SSL Settings have been set to ignore client certs, the "No certificates found" error will be resolved.
Upvotes: 16
Related Questions
- How can you get the build/version number of your Android application?
- Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
- How can I close/hide the Android soft keyboard programmatically?
- Why is the Android emulator so slow? How can we speed up the Android emulator?
- ADB Android Device Unauthorized
- Chrome DevTools Devices does not detect device when plugged in
- How do we control web page caching, across all browsers?
- How are ssl certificates verified?
- No “Proceed Anyway” option on NET::ERR_CERT_INVALID in Chrome on MacOS
- Config Error: This configuration section cannot be used at this path