Security with HTTPS and SSL :-javax.net.ssl.SSLHandshakeException: Certificate expired

Question

I have tried command for check Missing intermediate certificate authority using this command

$ openssl s_client -connect mail.google.com:443

For my website which should be shown certificate chain but it only shows one certificate which is already expired. but when i checked server certificate configuration on https://www.digicert.com/help/

it shows SSL Certificate is correctly installed and showing proper intermediate certificate chain and when i try to access web api in my android app it shows following error :-

javax.net.ssl.SSLHandshakeException: Certificate expired at Thu Jun 11 21:58:21 GMT+05:30 2015 (compared to Wed May 18 10:48:45 GMT+05:30 2016)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:327)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:638)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:600)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:75)
05-18 10:48:45.750 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:93)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:187)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:123)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:134)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:196)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:169)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:124)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:365)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:602)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:522)
05-18 10:48:45.751 28372-28412/com.src.giveup1 W/System.err:     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:500)

i am using the following link for checking server certificate in android app :- http://blog.fordemobile.com/2012/04/https-requests-on-android.html

Is the certificate is properly configured on server or i am using the wrong code for checking the certificate.

Answer 1

You have already got your issue. Actually your certificate is expired. Your webservice's appserver needs to update its certificate.

For a full tutorial to create and check certificate you can follow the tutorial:

1. The Most Common OpenSSL Commands
2. How To Verify SSL Certificate From A Shell Prompt

To change certificate, you can follow the tutorial:

http://www.albeesonline.com/blog/2009/06/24/javax-net-ssl-sslhandshakeexception-certificate-expired/

---

Full Tutorial:

For testing purpose I will use mail.google.com:443 SSL certificate which is issued by Go Daddy.

Step # 1: Getting The Certificate

Create directory to store certificate:

$ mkdir -p ~/.cert/mail.google.com/
$ cd ~/.cert/mail.google.com/

Retrieve the mail.google.com certificate provided by the google mail server:

$ openssl s_client -showcerts -connect mail.google.com:443

Copy from the “—–BEGIN CERTIFICATE—–” to the “—–END CERTIFICATE—–” , and save it in your ~/.cert/mail.google.com/ directory as mail.google.com.pem.

Step # 2: Getting The Certificate Of The Issuer

If this certificate was issued by Go Daddy, so you need to get “Certification Authority Root Certificate” (visit your CA’s website to get root certificate):

$ wget https://certs.godaddy.com/repository/gd_bundle.crt -O ~/.cert/mail.google.com/gd.pem

Step # 3: Rehashing The Certificates

Create symbolic links to files named by the hash values using c_rehash, enter:

$ c_rehash ~/.cert/mail.google.com/

Sample output:

Doing  ~/.cert/mail.google.com/
mail.google.com.pem => 1d97af50.0
gd.pem => 219d9499.0

Test It

To confirm you have the correct and working certificates, enter:

$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:443

Sample output:

CONNECTED(00000003)
......
....
 Verify return code: 0 (ok)
---

There should be lots of data, however the important thing to note down is that the final line “Verify return code: 0 (ok)”. I’m using the same certificate for dovecot IMAP mail server, type the following to verify mail server SSL certificate:

$ openssl s_client -CApath ~/.cert/mail.google.com/ -connect mail.google.com:993

Sample output:

CONNECTED(00000003)
.....
.....
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR SORT THREAD=REFERENCES MULTIAPPEND UNSELECT LITERAL+ IDLE CHILDREN NAMESPACE LOGIN-REFERRALS UIDPLUS LIST-EXTENDED I18NLEVEL=1 QUOTA AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Again the final “Dovecot ready” line along with 0 return code indicates that everything is working fine.

Resource Link:

Verifying that a Private Key Matches a Certificate