Welcome to Headwind MDM Q&A, where you can ask questions and receive answers from other members of the community.

Please do not post bug reports, missing feature requests, or demo inquiries. If you have such an inquiry, submit a contact form.

0 votes
I am using Headwind MDM with LetsEncrypt.

I keep getting an error 'Trust anchor for certification path not found' on my Android 9 device.

What's going wrong and how to fix the issue?
by (37.6k points)

1 Answer

0 votes

Since February 2024, LetsEncrypt officially uses its self-signed certificate ISRG ROOT X1 which is unknown to older devices, and since October 2024, their legacy (cross-signed) certificate is retired. See details here: https://letsencrypt.org/certificates/

Unfortunately LetsEncrypt officially doesn't support legacy Android devices any more. See details here: https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580

To support older devices, we recommend purchasing a commercial certificate by one of providers and install it to Headwind MDM. We recommend GoGetSSL: https://www.gogetssl.com

If the issue persists, ask the provider for existing cross-signed certificates for its root certificate and include them into your keystore file. For example, here's the list of cross-signed certificates for GlobalSign: https://support.globalsign.com/ca-certificates/root-certificates/globalsign-cross-certificates

For example, if your root certificate is GlobalSign R6 (untrusted on older devices), then add the cross-signed certificate 'R6 signed by R1'.

by (37.6k points)
edited by
...