How can I fix the "No certificates found - The app Chrome has requested a certificate" Android / Google Chrome issue

android google-chrome ssl iis https
55,677

Having just resolved this exact same issue, here's what I found...

Server Specs (essentially the same as O.P)

  • Windows Server 2008 r2
  • IIS 7.5
  • SSL Provider: GeoTrust RapidSSL

First Issue: Out of Date Cryptographic Policies

Several articles pointed out the server may have out of date cryptographic policies. A bit of research revealed everything must be configured using registry settings. See the MS Support article How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll for detailed information.

Not sure if your sever is up to date? SSL Labs' Server Test is a great tool for validating your site's cryptographic policies.

Manually Edit the Registry?

The MS Support article details editing the registry keys. Aack! A bit more research and I found a great utility called IIS Crypto by Nartac Software that will update all the registry keys in a single click. FYI: a reboot is required as well.

From the Nartac Software site:

IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2008, 2012 and 2016. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click, create custom templates and test your website.

Second Issue: Incorrect IIS SSL Site Settings

The root of this issue due to the default of IIS setting the SSL Settings to "Accept" Client certificates. There is no need to accept client certs, so simply set the setting as "Ignore" (from the O.P.'s suggested fix #1 image).

Note: The image shows "Require SSL" is unchecked; for this discussion, whether it is checked is not relevant. All that matters is the site can connect using https.

Ignore Client certificates in IIS

Wrap Up

Once the server has the cryptographic policies reconfigured and the IIS SSL Settings have been set to ignore client certs, the "No certificates found" error will be resolved.

Share:
55,677
LHKC
Author by

LHKC

Responsible for mentoring and supporting the personal development of colleagues and apprentices, taking the role of project manager on some projects, and lead developer on others. Most recently led the redesign and development of the primary public facing website (kirklees.gov.uk), including the creation of a style guide; a set of design principles, copy-writing guidelines, methods and processes to aid the rapid develoment of applications and content areas, improve standards of accessibility and usability, and increase site-wide consistency.

Updated on June 13, 2020

Comments

  • LHKC
    LHKC almost 4 years

    The issue

    Some of our website users are encountering an issue when accessing secure areas of our website, on Android devices, in Google Chrome.

    It looks like this;

    No certificates found' error, as seen in Chrome on Samsung Galaxy S6 (Android v5)

    I've been able to replicate the issue on the following devices using Browserstack's physical device testing;

    • Samsung Galaxy S6, Samsung Galaxy S5, Samsung Galaxy S4 (Android v5 and v4.4)
    • Nexus 6 (Android v6, v5 and v4.4)
    • Moto X 2nd Gen (Android v6 and v5)

    My research

    All the articles, forums and questions that I've read online (and there aren't many, unless I'm searching for the wrong thing) point to server and / or SSL certificate setup and configuration, and that the issue being experienced is by design.

    Suggested fix 1

    The most useful article I've found so far is Issue 268055 "No Certificates Found" on the chromium issue tracker.

    Comment 18 suggests changing SSL settings in IIS;

    I can fix the issue if you have access to IIS. Basically you need to go to SSL Settings and make sure Require SSL is unchecked and that "Ignore" is selected for Client Certificates.

    Comment 28 backs it up;

    For the non-Googler case, this error message only occurs when you encounter a site that requests a client certificate. There's nothing that Chrome can do here - the site has requested a client certificate, and to even know if a client certificate is valid, Chrome for Android has to ask the OS. That's the prompt you're seeing - it's controlled by Android and all apps (Google or otherwise) are required to go through that flow.

    This will occur with any site configured to request client certificates, so to resolve this, either don't request client certificates, or configure your Android devices to have client certificates (e.g. via a device management application or via installing a PKCS#12 file).

    kamakshi: This is all "By Design" behaviour, but requires server operators to change, so I'm not sure what to do with this bug.

    As does comment 43;

    I don't think people on this bug would know much about configuring IIS. You'd want to talk with Microsoft about that. From searching around, "Ignore Client Certificate" seems to be the option you want.

    We've done that but it doesn't seem to have made a difference.

    IIS SSL settings

    IIS SSL settings

    Suggested fix 2

    Another question here on Stack ("certificate trusted on pc but not in android") suggests that an intermediate certificate might be missing;

    You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

    I've checked and we have a domain certificate (which isn't a wildcard certificate), an intermediate certificate and a root certificate, so I don't think that's the issue either. I've also run a site checker test on the Networking4all website, and an SSL test on the Qualys SSL website and they both path without errors or warnings.

    My question

    Has anyone else encountered this issue? Are there any other solutions that we can try to fix it? I'm out of ideas at this point so any advice would be hugely appreciated.

    Some extra details just in case

    The server the website is on is running Windows Server 2008 R2 and IIS 7.5, and our SSL certificate provider is Thawte.

    Thanks in advance!

    • RodgerTheGreat
      RodgerTheGreat almost 8 years
      Any luck solving this issue. I am experiencing the same problem
    • JustAGuy
      JustAGuy over 7 years
      Anyone disabling the requirement of SSL is out of his mind and compromising his system.
    • K.Sopheak
      K.Sopheak over 7 years
      I got the same problem too with my app when I click link to verify from email. It happen with chrome. Anyone solved it yet? Please hlp
    • Jonas Köritz
      Jonas Köritz over 7 years
      The server is requesting a client certificate on connection. Run wireshark to see what is actually going on on the wire. Have you completely restarted IIS after making your changes?
  • pmiranda
    pmiranda almost 3 years
    What about nginx?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)
IIS 10 - Chrome 44 ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
IIS HTTP to HTTPS relative redirect
Android SSL https post
Untrusted certificate error and httpclient on android
Certificate issue: SSL page brings up "you need to set a lock screen pin or password before you can use credential storage" on Android
SSL/TLS protocols and cipher suites with the AndroidHttpClient
SSL error only on certain sites
How to search non ssl google?
Custom Protocol Handler not working in Chrome on SSL page