Secure connection to Stadtbibliothek Würzburg failed

[dueringa]

See also issue #577

Same issue as in this ticket.

Stadtbibliothek Würzburg uses the same Root Certificate, so I thought the linked issue fixed this.

I added the root certificate as mentioned in the linked issue anyway. The outut said:

$ LC_ALL=C ./tools/add_certificate.bash opac.stadt.wuerzburg.de
Adding certificate to opacclient/libopac/src/main/resources/ssl_trust_store.bks...
Certificate already exists in system-wide CA keystore under alias <debian:usertrust_rsa_certification_authority.pem>
Do you still want to add it to your own keystore? [no]:  yes
Certificate was added to keystore
[Storing opacclient/libopac/src/main/resources/ssl_trust_store.bks]

However, I'm still getting the error message.

I deleted all app data and re-added the library, didn't change the behavior.

adb logcat says

07-05 20:38:50.345 13387 13424 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.348 13387 13424 W System.err: 	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
07-05 20:38:50.348 13387 13424 W System.err: 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:11)
07-05 20:38:50.348 13387 13424 W System.err: 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:9)
07-05 20:38:50.348 13387 13424 W System.err: 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:15)
07-05 20:38:50.348 13387 13424 W System.err: 	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:36)
07-05 20:38:50.348 13387 13424 W System.err: 	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:1)
07-05 20:38:50.348 13387 13424 W System.err: 	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:6)
07-05 20:38:50.351 13387 13424 W System.err: 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:5)
07-05 20:38:50.358 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:1)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:22)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:1)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:22)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:9)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:1)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:13)
07-05 20:38:50.359 13387 13424 W System.err: 	at okhttp3.RealCall.execute(RealCall.java:9)
07-05 20:38:50.359 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:6)
07-05 20:38:50.359 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:26)
07-05 20:38:50.359 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.BiBer1992.parseSearchFields(BiBer1992.java:3)
07-05 20:38:50.359 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.BaseApi.getSearchFields(BaseApi.java:1)
07-05 20:38:50.359 13387 13424 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:2)
07-05 20:38:50.359 13387 13424 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:1)
07-05 20:38:50.359 13387 13424 W System.err: 	at android.os.AsyncTask$2.call(AsyncTask.java:333)
07-05 20:38:50.359 13387 13424 W System.err: 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
07-05 20:38:50.359 13387 13424 W System.err: 	at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
07-05 20:38:50.360 13387 13424 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
07-05 20:38:50.360 13387 13424 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
07-05 20:38:50.360 13387 13424 W System.err: 	at java.lang.Thread.run(Thread.java:764)
07-05 20:38:50.360 13387 13424 W System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.360 13387 13424 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:646)
07-05 20:38:50.360 13387 13424 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
07-05 20:38:50.360 13387 13424 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
07-05 20:38:50.361 13387 13424 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
07-05 20:38:50.361 13387 13424 W System.err: 	at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
07-05 20:38:50.361 13387 13424 W System.err: 	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
07-05 20:38:50.361 13387 13424 W System.err: 	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
07-05 20:38:50.361 13387 13424 W System.err: 	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
07-05 20:38:50.361 13387 13424 W System.err: 	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
07-05 20:38:50.361 13387 13424 W System.err: 	at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
07-05 20:38:50.361 13387 13424 W System.err: 	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
07-05 20:38:50.361 13387 13424 W System.err: 	... 31 more
07-05 20:38:50.361 13387 13424 W System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.361 13387 13424 W System.err: 	... 42 more
07-05 20:38:50.361 13387 13424 W System.err: de.geeksfactory.opacclient.networking.SSLSecurityException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.361 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:21)
07-05 20:38:50.362 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:26)
07-05 20:38:50.362 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.BiBer1992.parseSearchFields(BiBer1992.java:3)
07-05 20:38:50.362 13387 13424 W System.err: 	at de.geeksfactory.opacclient.apis.BaseApi.getSearchFields(BaseApi.java:1)
07-05 20:38:50.362 13387 13424 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:2)
07-05 20:38:50.362 13387 13424 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:1)
07-05 20:38:50.362 13387 13424 W System.err: 	at android.os.AsyncTask$2.call(AsyncTask.java:333)
07-05 20:38:50.362 13387 13424 W System.err: 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
07-05 20:38:50.362 13387 13424 W System.err: 	at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
07-05 20:38:50.362 13387 13424 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
07-05 20:38:50.362 13387 13424 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
07-05 20:38:50.362 13387 13424 W System.err: 	at java.lang.Thread.run(Thread.java:764)
07-05 20:38:50.422 13387 13428 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.423 13387 13428 W System.err: 	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:11)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:9)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:15)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:36)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:1)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:6)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:5)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:1)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:22)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:1)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:22)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:9)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:10)
07-05 20:38:50.423 13387 13428 W System.err: 	at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:1)
07-05 20:38:50.425 13387 13428 W System.err: 	at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:13)
07-05 20:38:50.425 13387 13428 W System.err: 	at okhttp3.RealCall.execute(RealCall.java:9)
07-05 20:38:50.425 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:6)
07-05 20:38:50.425 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:26)
07-05 20:38:50.425 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.BiBer1992.parseSearchFields(BiBer1992.java:3)
07-05 20:38:50.425 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.BaseApi.getSearchFields(BaseApi.java:1)
07-05 20:38:50.425 13387 13428 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:2)
07-05 20:38:50.426 13387 13428 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:1)
07-05 20:38:50.426 13387 13428 W System.err: 	at android.os.AsyncTask$2.call(AsyncTask.java:333)
07-05 20:38:50.426 13387 13428 W System.err: 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
07-05 20:38:50.426 13387 13428 W System.err: 	at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
07-05 20:38:50.426 13387 13428 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
07-05 20:38:50.426 13387 13428 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
07-05 20:38:50.426 13387 13428 W System.err: 	at java.lang.Thread.run(Thread.java:764)
07-05 20:38:50.426 13387 13428 W System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:646)
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
07-05 20:38:50.426 13387 13428 W System.err: 	at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
07-05 20:38:50.426 13387 13428 W System.err: 	at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
07-05 20:38:50.426 13387 13428 W System.err: 	at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
07-05 20:38:50.427 13387 13428 W System.err: 	at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
07-05 20:38:50.427 13387 13428 W System.err: 	at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
07-05 20:38:50.427 13387 13428 W System.err: 	... 31 more
07-05 20:38:50.427 13387 13428 W System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.427 13387 13428 W System.err: 	... 42 more
07-05 20:38:50.427 13387 13428 W System.err: de.geeksfactory.opacclient.networking.SSLSecurityException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-05 20:38:50.427 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:21)
07-05 20:38:50.427 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.OkHttpBaseApi.httpGet(OkHttpBaseApi.java:26)
07-05 20:38:50.427 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.BiBer1992.parseSearchFields(BiBer1992.java:3)
07-05 20:38:50.427 13387 13428 W System.err: 	at de.geeksfactory.opacclient.apis.BaseApi.getSearchFields(BaseApi.java:1)
07-05 20:38:50.427 13387 13428 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:2)
07-05 20:38:50.427 13387 13428 W System.err: 	at de.geeksfactory.opacclient.frontend.SearchFragment$LoadSearchFieldsTask.doInBackground(SearchFragment.java:1)
07-05 20:38:50.428 13387 13428 W System.err: 	at android.os.AsyncTask$2.call(AsyncTask.java:333)
07-05 20:38:50.428 13387 13428 W System.err: 	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
07-05 20:38:50.428 13387 13428 W System.err: 	at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
07-05 20:38:50.428 13387 13428 W System.err: 	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
07-05 20:38:50.428 13387 13428 W System.err: 	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
07-05 20:38:50.428 13387 13428 W System.err: 	at java.lang.Thread.run(Thread.java:764)

Also, both Firefox 78 and openssl 1.1.1d complain about an old TLS version when visiting the URLhttps://opac.stadt.wuerzburg.de) - is this related?

(This also means I had to save the root certificate via Firefox, and change the add_certificate script accordingly, since openssl wouldn't accept it)

• WebOpac version, self-built from tag 6.2.8, target opacapp:assembleFossRelease
• Android version: Lineageos 16.0

[johan12345]

maybe this helps? opacapp/opacapp-config-files@9c8d548
(-> "update library data" in app settings)

[frankenpfalz]

Could you please give an answer when you tested it? Thanks.
Same problem here with Stadtbibliothek Würzburg.

[dueringa]

Updating the library data via app settings didn't help. The problem also occurs with Android 8. I also wrote a mail to the library regarding their web server setup.

[johan12345]

Hm, strange. Unfortunately I will not be able to help further as the library does not have a support contract with us.
(see https://opac.app/de/support-policy/ for details)

[raphaelm]

If the trust anchor is missing, it might be that customssl does fix it, but only with google play services, not in the self-built assmbleFoss/fdroid one.

[dueringa]

@raphaelm Can you provide some info / links? How comes Google Play Services would help? (I have microg installed) I also tried adding the root certificate to the Android certificate store via the device settings previously, which didn't really help either (I could get the connection to work once with that if I remember correctly, only after a device reboot, but that doesn't make any sense to me)

[raphaelm]

In the google play services build, we use Google's SSL provider to improve lots of these issues, especially on older devies.
https://developer.android.com/training/articles/security-gms-provider

As Johan said, though, we won't spend resources on digging into library-specific issues much deeper without a support contract :)

[johan12345]

see also:
#559
But if you added the certificate to the app's own trust store, that should also be used without Google Play.

[dueringa]

Thanks for the information. I understand the lack of support contract problem.

For completeness, I tried calling openssl with the option to accept TLS1 connections:

$ openssl s_client -tls1 -CAfile opac-stadt-wuerzburg-de.pem  -servername opac.stadt.wuerzburg.de -connect opac.stadt.wuerzburg.de:443
CONNECTED(00000003)
depth=0 CN = opac.stadt.wuerzburg.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = opac.stadt.wuerzburg.de
verify error:num=21:unable to verify the first certificate
verify return:1
140436286379136:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
---
Certificate chain
 0 s:CN = opac.stadt.wuerzburg.de
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
subject=CN = opac.stadt.wuerzburg.de

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

---
No client certificate CA names sent
---
SSL handshake has read 2232 bytes and written 143 bytes
Verification error: unable to verify the first certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1594147957
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

And ssllabs test:
https://www.ssllabs.com/ssltest/analyze.html?d=opac.stadt.wuerzburg.de

Looks rather like a server configuration problem to me (?), so I'll wait for a reply to my mail to the library.

[dueringa]

Addendum: The connection fails with the Google Play Store version and most recent library data as well. (Android 8, Google Play Services present)

07-08 21:21:11.954 16053 16502 W System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
07-08 21:21:11.954 16053 16502 W System.err: 	at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:com.google.android.gms@202117016@20.21.17 (040304-316502805):25)
...

[dueringa]

It appears like the library updated its server configuration to support TLS1.2. However, the app still complains about " Trust anchor for certification path not found.".

According to ssllabs, the server doesn't send the intermediate certificate.

Does it make sense to include the intermediate certificate in the trust store?

[dueringa]

Yes, adding the intermediate certificate to the trust store does make the library connection work again.

Would you accept a pull request with the intermediate certificate being added to the trust store?

[johan12345]

The better solution would be if the library server actually sent the intermediate certificate as part of the certificate chain, as the TLS spec requires. Most modern web browsers download missing intermediate certificates automatically, but this is not a behavior that the site operator should expect. For example, curl also can't connect:

$ curl https://opac.stadt.wuerzburg.de/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If the library refuses fixing their configuration, we would accept a PR adding the intermediate certificate to the trust store.

[dueringa]

I sent out another mail with a request regarding the configuration (although I feel a bit weird about this since I didn't receive a reply to my last one). I'll keep this updated.

[dueringa]

Got a reply from the library:

[...]
vielen Dank für Ihren Hinweis! Die von Ihnen genannte App ist ohne
unser Zutun entstanden, wir wurden vom Entwickler niemals über die
Aufnahme informiert. Deshalb werden wir auch keine Anpassungen dafür
vornehmen. Stattdessen gibt es von unserem Bildschirmkatalog eine eigene
Mobilversion ( https://wuerzburg.bibdia-mobil.de/) , die fehlerfrei läuft.
[...]

Tl;dr: The webserver config won't be fixed, they're referring to their mobile OPAC.

[johan12345]

Well, as I said, the config being wrong is not specific to the app, it probably also doesn't work on older systems/browsers that don't automatically fetch the intermediate certificates. But okay, in this case, adding the intermediate cert to the app's keystore is fine as well.

[johan12345]

PR #593 is merged, so it should work in the next update of the app.