Unable to get ODK Collect to work with SSL signed by local CA - Error Trust Anchor for Certificate Path Not Found


I have setup an ODK Aggregate server in our local domain. It’s running on server 2016 with tomcat 8.5.6. I'm having issues with getting the ODK collect app to work while SSL enabled. I have successfully connected with AQ ODK Collect app from the android device but using ODK collect (v1.27.3) receives the following error while trying to get a blank form:
Form Listing Failed. Parsing failed with java.security.cert.certpathvalidatorexception: Trustanchorfor certification path not found. While accessing %server address%

Tomcat is configured to use a java certificate store which has the Domain root, intermediate CA and the odk aggregate server certificate.
When browsing to the web instance of odk e.g https://servername:8443/ODKAgregate via web browser on a computer or utilising the web browser on the tablet it works. When verifying the certificate chain in the browser everything is trusted and chain path correct with the healthy certificate symbol.

The Android device version 7.0 and it’s on a galaxy tab s2

The ODK server is using a java certificate store which has the root, intermediate CA and the odk aggregate server certificate.
Checking the tomcat localhost_access_log I can see the inbound connection from the android device however it does not provide much, xx.xx.xx.xx - - [18/Aug/2020:12:47:16 +0930] "-" 400
I have ran a PCAP on the android device and can see certificate error while using ODK collect however it’s not very descriptive = Description: Certificate unknown (46). I was hoping it might have shown me the problem certificate.

The certificate install guide was followed from the odk Aggregate install site. I have also referenced other articles for tomcat and ssl setup but still no luck.

Any help or guidance would be appreciated.


Please be sure to search for prior relevant posts. By default, apps on Android 7+ do not allow user-specified CAs. There is an ongoing discussion about this at Odk Collect with Custom Certificate: Android 5 (works), Android 7,8 (fails)

Please note that this is based off of an ODK Collect version from 2015 and is not supported by the ODK community.

Thanks for confirming Hélène Martin.