Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 268055 "No Certificates Found"
Starred by 19 users Reported by jrm@google.com, Aug 3 2013 Back to list
Status: Archived
Owner:
Closed: Nov 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 2
Type: ----



Sign in to add a comment
Device name: Galaxy Nexus phone

From "Settings > About Chrome"
Application version: 28.0.1500.94
OS: Android 4.3


Behavior in Android Browser (if applicable):

Since the last Android update (or maybe Chrome update) on my phone, I get this message, over and over: "No Certificates Found. The app Chrome has requested a certificate. Choosing a certificate will let the app use this identity with servers now and in the future. The app has identified the requesting server as (...), but you should only give the app access to the certificate if you trust the app. You can install certificates from a PKCS#12 file with a .pfx or a .p12 extension located in external storage."

At that point, my choices are Install or Cancel. If I hit Install, it says "No certificate found in USB storage" and we start over again. So I hit Cancel, and we start over again. It takes four or five Cancels before it stops.


Steps to reproduce:
1. Visit a corporate site. I am signed in with my corporate account.

Expected result: Get to the site


Actual result: Get this dialogue box



 
Comment 1 by mattm@chromium.org, Aug 5 2013
Labels: Needs-Feedback
Sounds like issue 240733.  Can you try Chrome Beta (https://play.google.com/store/apps/details?id=com.chrome.beta&hl=en) and see if it is fixed?
Cc: p...@chromium.org digit@chromium.org
Status: Untriaged
Status: Available
Comment 4 by mrpatr...@gmail.com, Aug 21 2013
getting the same issue 
Comment 5 by p...@chromium.org, Aug 21 2013
mrpatryan, please see #1 - does the issue reproduce on M29?
Comment 6 by t...@bettisnet.net, Aug 21 2013
Hi, we are getting the same issue at my company when Android devices connect to our Ping Federate server for SAML authentication.  This error occurs in Chrome Beta 29.0.1547.58, Chrome 28.0.1500.94, and Internet Version 4.1.2-I535VRBMF1.  
Comment 7 by Deleted ...@, Aug 22 2013
I just installed the beta... 

And I still have the same issue. Beta 29.0.1547.58, Android 4.1.2, Galaxy S3 build JZO54K, Webkit 537.36(@155959)

I can provide a URL for testing privately.
Comment 8 by t...@bettisnet.net, Aug 23 2013
Just to note on my earlier comment, we have 4000+ android devices so this is really frustrating for our users.  Our iOS users aren't having any issues.
Comment 9 by agm@google.com, Sep 15 2013
I'm running Chrome 29.0.1547.72 on a Galaxy Nexus and I continue to see this problem.

Comment 10 Deleted
Comment 11 by t...@bettisnet.net, Oct 28 2013
This issue appears to be related to the server requesting an X.509 certificate.  When we set WantClientAuth=false on our Ping federation server the problem goes away. Unfortunately, we have other applications that depend on X.509 certificates.
I am seeing this error when loading an HTTPS resource that is secured by an *.DomainName.com type of certificate.  Prior to a recent change the certificate was in the form SubDomain.DomainName.com.  When we updated to use *.DomainName.com it appears to have broken the functionality within Chrome.  

Note that this only occurs on Chrome on a mobile device.  In my case Galaxy Note 10.1 (Galaxy S4 produces a similar message).  Chrome on my desktop is fine.
Comment 13 by Deleted ...@, Mar 1 2014
Just began seeing this on my Note 3 after an update of Chrome beta.
Comment 14 by Deleted ...@, Apr 2 2014
I'm getting this when I use the 'Report as Not Spam' link for Exchange Online Protection while on my S4. At this point I'm not sure if it's an EOP or Android/Chrome issue, but I thought I'd share just in case it helps narrow down the problem.
I'm running Chrome 37.0.2062.117 on Android 4.3 (I747UCUEMJB) and am getting the same issue when browsing to https://control.akamai.com/
Same issue here - Chrome 38.0.2125.102 on Android 4.4.4 (CyanogenMod 11 nightlies on a Samsung Galaxy Tab 2), clicking through a Microsoft Hosted Exchange (Office365) spam quarantine link to 'Report as Not Spam' or 'Release to Inbox', the O365 quarantine web server requests a certificate, and I have to click 'cancel' in Chrome on Android.
This does not happen with desktop Chrome.

Comment 17 Deleted
Comment 18 by Deleted ...@, Nov 17 2014
I can fix the issue if you have access to IIS. Basically you need to go to SSL Settings and make sure Require SSL is unchecked and that "Ignore" is selected for Client Certificates.
Comment 19 by Deleted ...@, Jul 20 2015
I found this error while authenticating to a guest network at a national lab. I solved the problem by pre-emptively entering the Android browser (rather than Chrome) and going through the authentication process in that browser. Subsequently, Chrome works fine on that network.
Comment 20 Deleted
Comment 21 by Deleted ...@, Jul 29 2015
I am facing this same issue, Please help me how to fix this issue?
This app (Chrome) has requested a certificate. Selecting a certificate will allow the app to use this identify with servers now and in the future. the application has identified the requesting server as '' but you should only grant the application access to the certificate if you trust the application.

You can install certificates from a PKCS#12 file with a .pfx or a .p12 extension
Comment 22 by Deleted ...@, Aug 26 2015
While implementing SSO with X.509 certificates, we have run into this same issue. The prompt to install a certificate only comes up on the Chrome browser from Android phones.

Please change Chrome on Android to behave like all other browser and not prompt to install a certificate.
I'm still seeing this issue on Chrome. When will this be fixed or what is the work around? It affects users trusting my site!w
Ditto - Chrome on Android only in my case. Did not have this problem with my N4. Have it often on my new Axon.

Google Chrome	45.0.2454.84 (Official Build) (64-bit)
Revision	f35ee3c741eb8a18b24c8406e4fe213bfd1a6eb8-refs/branch-heads/2454@{#437}
OS	Android 5.1.1; A1P Build/LMY47V
Blink	537.36 (@201276)
JavaScript	V8 4.5.103.28
User Agent	Mozilla/5.0 (Linux; Android 5.1.1; A1P Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Mobile Safari/537.36
Command Line	--use-mobile-user-agent --top-controls-show-threshold=0.5 --top-controls-hide-threshold=0.5 --enable-high-end-ui-undo --use-mobile-user-agent --enable-begin-frame-scheduling --enable-pinch --enable-overlay-fullscreen-video --enable-overlay-scrollbar --validate-input-event-stream --disable-gpu-process-crash-limit --enable-viewport-meta --main-frame-resizes-are-orientation-changes --disable-composited-antialiasing --ui-prioritize-in-gpu-process --enable-delegated-renderer --profiler-timing=0 --prerender-from-omnibox=enabled --enable-dom-distiller --flag-switches-begin --flag-switches-end --enable-instant-extended-api --top-controls-show-threshold=0.5 --top-controls-hide-threshold=0.5
Executable Path	No such file or directory
Profile Path	/data/data/com.android.chrome/app_chrome/Default
Variations	47f591a-3f4a17df
2aa1a5f2-3f4a17df
6345b824-3d47f4f4
e950616e-80d559bc
236d5d9e-fecfffa1
6cd5f6bc-f23d1dea
72be4de-3f4a17df
be58198d-3d47f4f4
47e5d3db-3d47f4f4
77207729-3d47f4f4
2a33b90e-3d47f4f4
e9f4800b-39c30599
19f73432-ca7d8d80
9d315c2-ca7d8d80
9577ea1a-55ca479c
34262f5b-ca7d8d80
93731dca-3f4a17df
9e5c75f1-dc6f1dc2
f79cb77b-3d47f4f4
4ea303a6-ecbb250e
826d6cab-ca7d8d80
5c3cc7b1-ca7d8d80
b2612322-f8cf70e2
2ce2968c-57e3669a
c99b9cf4-3f4a17df
244ca1ac-4ad60575
3ac60855-486e2a9c
f296190c-eaceac83
4442aae2-e1cc0f14
ed1d377-e1cc0f14
75f0f0a0-e1cc0f14
e2b18481-d7f6b13c
e7e71889-4ad60575
Build ID	e1c30f38-3663-43ef-9a11-16603000ae1f
Cc: klo...@chromium.org
Cc: sleevi@google.com
Labels: M-46
Owner: sleevi@google.com
Status: Assigned
The bug is reproducible on latest builds still. Assigning to sleevi@ after talking to him to review the issue.
Cc: kamakshi@chromium.org
Labels: Cr-Internals-Network-SSL
It sounds like we need to divide this bug into public (non-Google) and private (Google). The problems by Googlers are caused by how Google has configured things, and that's separate internal teams to resolve.

For the non-Googler case, this error message only occurs when you encounter a site that requests a client certificate. There's nothing that Chrome can do here - the site has requested a client certificate, and to even know if a client certificate is valid, Chrome for Android has to ask the OS. That's the prompt you're seeing - it's controlled by Android and all apps (Google or otherwise) are required to go through that flow.

This will occur with any site configured to request client certificates, so to resolve this, either don't request client certificates, or configure your Android devices to have client certificates (e.g. via a device management application or via installing a PKCS#12 file).

kamakshi: This is all "By Design" behaviour, but requires server operators to change, so I'm not sure what to do with this bug. I'd be inclined to WontFix/WorkingAsIntended. The steps for what options exist for Android - both what should Googlers do vs non-Googlers do - requires someone to speak more from the Android OS side and the mobile device manager options. The Android APIs involved are DevicePolicyManager ( http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html ) and DeviceAdminReceiver ( http://developer.android.com/reference/android/app/admin/DeviceAdminReceiver.html ), but that's not a Chrome thing.
No other browser has this issue. If a site is https, it will request a
client certificate for secure purposes.

This is normal browser behavior.

How can someone working at Google not know this?
fly: You're confusing client and server certificates. https will always have a *server certificate*. This bug has nothing to do with that. This is about the server requesting a *client* certificate which does not happen all the time and isn't especially common. Chrome is not in control of the prompt on Android and cannot suppress it.
Ok, that is more clear, I see.

So how come the other browsers do not have this issue, like the non-Chrome
browser on my Android device?
I'm not familiar with those browsers. They might not support client certificates. Client certs, much as I hate them, are unfortunately pretty critical in a lot of deployments so losing them isn't really an option.
I use nginx. What is the workaround?
Do you have a reason to be requesting client certificates? Given the confusion, I'm guessing no. It appears in nginx client certs are configured with the ssl_verify_client directive. If you don't need client certs, remove it.
Looks like it's on by default.

This did it:

ssl_verify_client off;
Labels: Hotlist-Recharge
This issue likely requires triage.  The current issue owner may be inactive (i.e. hasn't fixed an issue in the last 30 days or commented in this particular issue in the last 90 days).  Thanks for helping out!

-Anthony
Labels: -Needs-Feedback -Needs-Feedback -Hotlist-Recharge
Owner: rsleevi@chromium.org
Status: ExternalDependency
Switching to Ryan's chromium.org address, but I'm pretty sure this is just ExternalDependency if not outright WontFix.
Labels: -M-46
Comment 39 by Deleted ...@, Oct 14 2015
Hi,

We are also facing the same issue while accessing our https Website from Android devices through Chrome. same is working fine with other browser like Firefox/Safari etc.

Looks like it's a generic issue. Kindly suggest how can we resolve it.

Dhiraj
dhiraj.haritwal: As with comment #35, the issue is that optional client certificate authentication does not work. Due to Android's security model, the failure modes are particularly bad for Chrome on Android, but this deployment strategy is not viable in general.

If you don't know what I mean by "optional client certificate authentication", your site is probably misconfigured to request client certificates when you don't need it to. The fix is then straightforward but depends on what server software you're running. Consult the documentation on how to configure SSL for it.
I fixed this by telling server not to request client cert on nginx.  Which
web server are you using ? It more then likely can be disabled.
Comment 42 by Deleted ...@, Oct 19 2015
Hi,

I am using IIS 7.5 along with "Ignore Client Certificate" setting for SSL. My site is not requesting client certificate. How can i fix it.


Dhiraj
I don't think people on this bug would know much about configuring IIS. You'd want to talk with Microsoft about that. From searching around, "Ignore Client Certificate" seems to be the option you want.

Do you have a URL we can look at? We can at least confirm this is what's going on with your site.
Comment 44 by Deleted ...@, Oct 23 2015
Hi,

I had a case with Microsoft Professional Support for this issue. They have checked & verified that, first of all nothing wrong with IIS Config, secondly this issue is only with Chrome browser whereas same IIS Hosted site is working without any issue in other browser like Safari/Firefox.

Also as i mentioned in my earlier post, already have ignore client certificate option selected on IIS.

you can check for below website.

email me your mail ID to send you URL.

Dhiraj
Cc: -sleevi@google.com
Labels: Needs-Feedback
Note: This bug has grown a number of comments, making it difficult to triage. I'm going to set a Needs-Feedback flag on this; those that are encountering issues are requested to provide a chrome net-internals/net-export log (see https://dev.chromium.org/for-testers/providing-network-details )

However, please be aware: If a website requests client certificate authentication (whether in require or want mode - if it requests it *at all*), then this behaviour is expected and by design as part of the Android security model.

If you are using client certificate authentication, and are an Enterprise, you can use the android.app.admin APIs to handle and suppress prompts, as appropriate to your enterprise config, through the use of an MDM application.

If you are a user, and seeing this on random sites, the *server* is at fault. While we can suppress these prompts on some platforms Chrome runs on (such as common desktop platforms), the enhanced security and privacy design of Android do not make it possible for applications - where Chrome or evil hostile applications - to find out your identities in a way that would let us suppress the prompt if you don't have any. However, the server, not Chrome, is the one misconfigured for requesting it in the first place.

I'm not directly closing this as WontFix, in the slight event that someone has a net-internals log that suggests there might be a Chrome bug where the server *isn't* requesting it, but based on these comments, that does not appear to be the case. We will likely WontFix this, for working as intended, for the reasons described above.
Status: Archived
Talked to davidben...  This is working as intended, and is due to incorrectly configured servers (And a horrible client cert UI on Android, which it outside of Chrome's control)
(Also it's been a month and the Needs-Feedback was fairly broadly cast.)

To that end, if you are seeing this on a server, note Ryan's comments above. The server is almost certainly at fault.

On the off chance there is some cause that isn't this one, we can look at network logs to diagnose them. To send us one, please do NOT comment on this bug. Please file a NEW bug at https://crbug.com/new and attach a network log (see https://dev.chromium.org/for-testers/providing-network-details).
I have the same problem for my website www.marrysoon.com i resolved by installing  file "AddTrustExternalCARoot"
Sign in to add a comment