Error trust_anchor but ONLY for android 7 devices

Question

Hello,

I have some problems registering my devices but only those in Android 7 (here they are Huawei P9 Lite). I have NO problem with those in Android 8,9,10 and above.

I think that the problem comes from my let's encrypt ssl certificate. I managed to register devices in Android 7 at the beginning of January but since mid-February it has been impossible.

Last enrollment of android 7 device (same device as today) : 

Error message today with the same device

I check other Q&A (like https://qa.h-mdm.com/7394/cannot-enroll-device-https-trust-anchor-certification-found), we have the same symptoms but not the same error source.

Do I need to disable let's encrypt or use another certificate or another idea ?

Thanks

Answer 1

When you use LetsEncrypt to generate the certificate, Headwind MDM includes the full chain of certificate authorities in the keystore, so the QA article you referred is not applicable.

I guess LetsEncrypt has changed something in their certificates so older devices do not trust them any more.

Instead of LetsEncrypt, you can purchase a commercial certificate (https://qa.h-mdm.com/1240/how-to-setup-work-through-https), but there's no guarantee that Huawei devices will accept it. The only way to check is to try it.

Answer 2

I guess here's the answer: https://qa.h-mdm.com/18231/letsencrypt-gives-https-error-trust-anchor-not-found-android

If you're using LetsEncrypt, update the Headwind MDM launcher to the latest version, it installs LetsEncrypt root certificates if they are unknown by a device.