Let‘s Encrypt证书在 Android5.x 的设备上报错

报错信息：

txt 复制代码

com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.volley.toolbox.NetworkUtility.shouldRetryException(NetworkUtility.java:173)
    at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:145)
    at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:132)
    at com.android.volley.NetworkDispatcher.processRequest(NetworkDispatcher.java:111)
    at com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:90)
    Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
    at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:328)
    at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
    at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
    at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
    at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
    at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
    at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
    at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
    at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at io.sentry.okhttp.SentryOkHttpInterceptor.intercept(SentryOkHttpInterceptor.kt:116)
    at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
    at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
    at org.yeshen.Stack.executeRequestInternal(OkHttpStack.kt:107)
    at org.yeshen.Stack.tryRequest(OkHttpStack.kt:142)
    at org.yeshen.Stack.executeRequest(OkHttpStack.kt:173)
    at com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:104)
    ... 3 more
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:324)
at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:225)
at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:115)
at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:556)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:324)
... 26 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 32 more

报错原因：证书链验证失败，细节如下：

Let's Encrypt 的根证书 ISRG Root X1 发布于 2015 年，而 Android 5.x 发布于 2014 年，其内置的信任证书库（CA store）未包含该证书。Android 7.0+ 才默认信任 ISRG Root X1。所以5-7的系统无法在本地信任库中找到根证书，导致 Trust anchor not found 错误。