+ Add Question

Problem with new SSL certs

Hi,

I'm the author of the TiskTasks Android client (http://tisktasks.com)

My users have started complaining that they cannot log in. It appears that the SSL certs were recently expired and updated(https://todoist.com/Support/showQuestion/636/).

However, I think there's something wrong with todoist.com's server's SSL configuration. While browsers can access https://todoist.com, all Android clients will error out on connecting to https://todoist.com. The error is:
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate

After a bit of searching, it appears this may be an issue with the new RapidSSL certs, where an intermediate cert is not also available in the todoist.com server's SSL configuration, and thus Android clients don't trust the chain.

Here's some details of the problem:
http://code.google.com/p/android/issues/detail?id=15968

I ran openssl to see what the cert looks like:
openssl s_client -connect todoist.com:443
CONNECTED(00000003)
depth=0 /serialNumber=nr-Y4T4uBpnQZ4J9-1PpYv8cOA5gULge/C=DK/O=*.todoist.com/OU=GT97297051/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.todoist.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=nr-Y4T4uBpnQZ4J9-1PpYv8cOA5gULge/C=DK/O=*.todoist.com/OU=GT97297051/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.todoist.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=nr-Y4T4uBpnQZ4J9-1PpYv8cOA5gULge/C=DK/O=*.todoist.com/OU=GT97297051/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.todoist.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/serialNumber=nr-Y4T4uBpnQZ4J9-1PpYv8cOA5gULge/C=DK/O=*.todoist.com/OU=GT97297051/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=*.todoist.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---

You can see that parts of the chain are not trusted.

I could work around this in the Android client by ignoring SSL errors, but that is not something I'd like to do.

Comment #16 (by chancell...@qochealth.com, Jul 10, 2011) on the above code.google.com issues page suggests you can get a new complete cert from RapidSSL.

Would you be able to look into that? Thanks.

All responses

David Trey staff
Replied on Oct 19, 2011 - 05:10 UTC

Hello Nic,

thank you very much for the detailed report. I have forwarded this issue to the developers.

Sorry for the inconvenience.


Best regards,
David

Amir Salihefendic staff
Replied on Oct 19, 2011 - 08:26 UTC

Hi Nic

Thanks a lot for the detailed feedback. We have contacted RapidSSL regarding this issue - - it does seem like we need to get a new certificate from them.

Best regards,
Amir

Amir Salihefendic staff
Replied on Oct 19, 2011 - 18:00 UTC

This issue should now be resolved, thanks for your patience.

Best regards,
Amir

Nic Jansma premium
Replied on Oct 19, 2011 - 18:30 UTC

Perfect, everything's working great on Android clients again.

Thank you,

P
Peter
Replied on Oct 20, 2011 - 16:05 UTC

The problem goes on. Whenever I want to connect to todoist (with ANDROID 2.2.1 MOTOROLA Defy) I get:javax.net.ssl.SSLException: Not trusted server certificate.
What's to do ???

David Trey staff
Replied on Oct 20, 2011 - 17:08 UTC

Hello Peter,

please tell me - are you accessing the Todoist mobile page http://todoist.com/m or are you using a third-party application?


Best regards,
David

P
Peter
Replied on Oct 20, 2011 - 17:30 UTC

Hello David

thanks for help
No problem with: todoist.com/m
but TodoistDroid App says: avax.net.ssl.SSLException
and Todoist for Android says: Autentificacion failed

But I want to use Apps not page

Best regards Peter

Claudia Micare premium
Replied on Oct 24, 2011 - 10:49 UTC

I get a certificate error preventing me from seeing Todoist in Outlook. It persists, could this be related? Can it be resolved?

David Trey staff
Replied on Oct 24, 2011 - 12:29 UTC

Hello,

@Peter,
thanks you for your feedback. Unfortunately, we didn't get any issue reports from other third party app developers (except the author of TiskTasks above). Please ask the developers of these apps, if they're aware of this issue and if they can reproduce it or give us some feedback if it's related to the issue with the latest SSL certificate.

@Claudia,
please tell me:
- Which Outlook version and operating system are you using?
- What happens exactly when you open Outlook?
- Do you get an error message before the Todoist window opens? Does it open at all?
- When are you getting this error?
- What does it say exactly?


Best regards,
David

Claudia Micare premium
Replied on Oct 24, 2011 - 12:35 UTC

@David;

-Outlook 2007
-when I open outlook I get a column to the right where in the past I have at times been able to see my to do list, only now it says:
"Content was blocked because it was not signed by a valid security certificate. For more information, see "Certificate Errors" in Internet Explorer Help."
-Yes the error was there when I first opened Outlook today. I tried logging into the site for good measure then reopening outlook but the error remains.
-Lately whenever I open Outlook but even when it did load beforeI was receiving messages about certificates.

Hope this helps. The program is helping me keep track of a gazillion things that before were slipping off my plate! luckily I can get there online. Thanks

David Trey staff
Replied on Oct 24, 2011 - 14:12 UTC

Claudia,

please open Internet Explorer, go to Tools -> Internet Options -> "Content" tab and click "Clear SSL state" (then close IE and open Outlook).

If this doesn't help, go to the same tab again, but this time click the "Certificates" button, go to the "Trusted Root Certification Authorities" tab and remove the "Equifax" certificate.

Also, please try to clear your IE cache and cookies.


Best regards,
David

Claudia Micare premium
Replied on Oct 24, 2011 - 14:17 UTC

HI David--Clearing the SSL slate worked! you're a genius

TD
Todd Donatello premium
Replied on Oct 25, 2011 - 06:17 UTC

Nic et al,

Not working on my LG Ally running Android 2.2.2. Getting a login failed message on TiskTasks for Todoist despite entering in my UID and PW correctly and checking my connection. Even though I'm not using IE, I still tried clearing cache and cookies, etc. but to no avail. I've messaged Nic separately on this too. But it seems something has happened between the date of his reply that everything appeared to be in order (10/19) and today (10/25).

Eager Todoist and TiskTasks user, hoping we can get this resolved.

Thanks,
Todd

Nic Jansma premium
Replied on Oct 28, 2011 - 02:18 UTC

Hi guys,

As Todd mentions, the updated SSL certificates unfortunately do not work with all Android OS devices.

I've verified the updated certificates work with my Motorola Droid Bionic (Android 2.3), but not my HTC Increddible (Android 2.2). I think 2.2 devices will not have the updated certs.

Is it possible to get RapidSSL to use a different root certificate that older Android clients will allow? Or install the appropriate intermediate cert on the todoist SSL server?

eg:
http://code.google.com/p/android/issues/detail?id=10807

https://support.servertastic.com/entries/426677-rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device

http://stackoverflow.com/questions/7203857/rapidssl-certificate-not-trusted-on-android-tablet

https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem

Unfortunately, 99.99% of users that hit a login issue in any Android app will assume it's the app or todoist.com's fault, not that their OS may need a root certificate update.

Thanks for taking a look!

David Trey staff
Replied on Nov 04, 2011 - 16:10 UTC

Hello,

we have installed a new certificate: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668

Please let us know if it fixes this issue.

Sorry for the inconvenience.


Best regards,
David

Nic Jansma premium
Replied on Nov 04, 2011 - 21:43 UTC

Thanks David! I've verified that it works on my HTC Increddible 2.2 device.

TD
Todd Donatello premium
Replied on Nov 05, 2011 - 05:19 UTC

Thank you very much David. I was able to access through TiskTasks for the very first time last night!

Nic Jansma premium
Replied on Oct 18, 2013 - 15:47 UTC

Hi guys,

Hate to re-open this really old thread, but this is happening again.

David Trey staff
Replied on Oct 18, 2013 - 17:23 UTC

Hello Nic,

Please clarify which issue are you referring to? Our certificate did expire recently and we've had some temporary issues with it, but it's now renewed until November 2015.

A different issue that's been reported, but also should be fixed is the fact that the Outlook plugin recognizes our Wedoist certificate instead of the Todoist one. Please let us know which one you're experiencing.


Best regards,
David

Nic Jansma premium
Replied on Oct 18, 2013 - 18:07 UTC

Hi David,

Sorry for the confusion. I had reported (in another thread, last week) about the wedoist certificate. I saw that issue reproduce yesterday, but not today. That issue is not why I wrote in this thread.

I just replied to the messages in this thread (which was originally opened in 2011) due to the problem stated in the first message of this thread. I'm seeing in some Android phones (including those with API 2.3.x) the "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate" issue due to the latest todoist.com SSL certificate update.

When this happened last time, you guys were able to resolve the issue with RapidSSL shortly after my suggested fixes on "Oct 27, 2011 - 21:18".

Hope that explains things a bit better. Basically, I think you need updated RapidSSL (or whoever) certs that contain the full certificate chain in the bundle on your webserver.

David Trey staff
Replied on Oct 18, 2013 - 22:06 UTC

Nic,

Thank you for clarifying, I'll pass it to the developers and I'll let you know what they say.


Best regards,
David

David Trey staff
Replied on Oct 21, 2013 - 11:56 UTC

Nic,

This issue should now be fixed, please let us know in case it persists.


Best regards,
David

Nic Jansma premium
Replied on Oct 22, 2013 - 15:55 UTC

Thank you, I can confirm the problem is resolved in my older phones.