[SOLVED] [NOT-K9] LocalKeyStore: "Couldn't find a stored certificate for..."

Hello !!
I am trying to use K9 to connect to an IMAP server with TLS enabled (which is supposedly working), but K9 seems to drop the connection right away. I have exported some logs, the significant part is :

06-21 12:50:06.664 12815 12848 I MessagingController: Running command 'checkMail', seq = 690 (background priority)
06-21 12:50:06.665 12815 12848 I MessagingController: Starting mail check
06-21 12:50:06.665 12815 12848 I MessagingController: Synchronizing account b0f11215-b30c-4d87-980d-fae10625510b
06-21 12:50:06.669 12815 12848 D MessagingController: Last folder list refresh @ jeu. janv. 01 01:00:00 GMT+01:00 1970. Refreshing now…
06-21 12:50:06.671 12815 12848 D RealImapConnection: Connecting to imap.xxxxxxxxxxxxxx as imap.xxxxxxxxxxx/x.x.x.x
06-21 12:50:06.671 12815 12848 D TrafficStats: tagSocket(157) with statsTag=0xffffffff, statsUid=-1
06-21 12:50:06.723 12815 12848 V LocalKeyStore: Couldn't find a stored certificate for imap.xxxxxxxxxxxx:993
06-21 12:50:06.723 12815 12848 E RealImapConnection: Failed to login, closing connection for conn162728944

I have searched for “LocalKeyStore” mentions but couldn’t find one on the K9 forums, and openly on the Web it seems to only match Java issues, which obviously would not help me.

Any hint on how to diagnose further ?

K9 version is 6.803, Android is nearly the latest version
IMAP server configuration is :

“standard password”
No client certificate
Automatic detection : checked
Use compression : checked

Thanks in advance

Addendum: for the record, on the server side, the error line is unrelated to the root cause :

dovecot: imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=xxxxxxxx, lip=yyyyyyyy, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=<.........>

This behavior is a false alert by dovecot which does not understand that the connection was abruptly cut off by the client side.

Looks like the server’s TLS certificate doesn’t validate and the invalid certificate wasn’t manually accepted. K-9 Mail should generate an error notification in this case.

Go to Settings → [Account] → Fetching mail → Incoming server and press the Next button to (re)check the server settings.

1 Like

Indeed, the configuration does not validate.
There’s a warning about a certificate error, but it’s not specified which criteria triggers it.

I have seen that the hostname I’m hitting the server with (imap.xxxxxxxxxxxx) is not one of the Common Names in the certificate (xxxxxxxxxx and www.xxxxxxxxx), but I tried configuring the incoming server with “xxxxxxxxxx” instead of “imap.xxxxxxxxx” and the error still triggers.

The certificate is valid, and the certificate chain on the server contains : 1. the valid certificate 2. the CA certificate (CN = Gandi Standard SSL CA 2)
I tested switching 1 <=> 2, and also adding a 3rd certificate which was the signing CA’s CA (CN = USERTrust RSA Certification Authority)
But K9 still refused it somehow.

NB: I edited the original post to include the server side error log line

Here is the first Java error line coming after the “fetching” action :
06-21 22:40:52.989 18605 18633 E MessagingController: com.fsck.k9.mail.MessagingException: Unable to get folder list.

But here is the first Java error line coming after the incoming server configuration test :
06-21 22:38:15.447 18605 3712 E RealImapStore: com.fsck.k9.mail.CertificateValidationException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
(the previous lines are very similar, with LocalKeyStore: “Couldn’t find a stored certificate for…”)

I am narrowing the issue to this probable root cause : the CA are not recognized on the device.
I suppose I have to find a way either to install the Gandi or Usertrust CA on the Android device, OR somehow provide a supplementary certificate in the certificate chain ?

Next: redoing the certificate validation checks on the server side (according to https://stackoverflow.com/questions/6825226/trust-anchor-not-found-for-android-ssl-connection this would rather be a server side configuration issue, which contradicts my previous diagnostics…

Both dovecot and K9 error messages seem not helping enough diagnose whether the issue is on the client side or the server side


  1. one of the CA in the server side certificate chain was wrong…
    openssl verify -CAfile chain.pem cert.pem allowed me to debug this

Solution : cat server_cert.pem intermediate.pem root.pem > complete_chain.pem
openssl verify -CAfile complete_chain.pem complete_chain.pem shoud state OK

dovecot configuration : “ssl_cert = </etc/dovecot/complete_chain.pem”

  1. hostname in the “Server” field of the incoming server configuration MUST be one of the certificate’s Common Names or Alternate Names… so this fixed the 2nd issue, that was pretty explicit in the K9 logs :
    06-21 23:03:27.133 10535 10559 E RealImapStore: com.fsck.k9.mail.CertificateValidationException: javax.net.ssl.SSLHandshakeException: Certificate for <xxxxxxxxxx> doesn't match any of the subject alternative names: [yyyyyy, zzzzz]

Thanks for all and sorry for bothering…

1 Like