My domain is: brettward.duckdns.org
My web server is (include version): Home Assistant 2023.11
The operating system my web server runs on is (include version): Home Assistant 2023.11
I can login to a root shell on my machine (yes or no, or I don't know): Yes. Well, sort-of, I think it's in some sort of container.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Home Assistant 2023.11
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): Don't understand the question. What client?
The letsencrypt certificate works when accessed from Windows or from some Android phones.
But it doesn't work for at least one other Android phone, apparently because the ISRG Root X1 CA is not installed. I have attempted to install the certificate on the phone but this doesn't seem to have worked.
What else can I do?
Hello @TimWardCam, welcome to the Let's Encrypt community.
Please see Certificate Compatibility - Let's Encrypt
What version of Android is the non-working phone? Is it earlier than 7.1.1?
There was a recent issue (see Let's Encrypt Status) where the "compatibility chain" that helps Let's Encrypt work on older (before 7.1.1) Android versions was not the default. We can help you fix that if it's the issue, though note that'll stop working again in February.
Are you using the Let's Encrypt addon in Home Assistant?
Are you accessing Home Assistant with the Android app, or in a browser?
Sorry, should have said, I've read that and can't see that it gives me instructions to resolve the problem.
It says "Android version 12"
Yes, I'm using the Let's Encrypt addon in Home Assistant.
I've tried both the app and a browser, both fail (with different error messages).
Android 12 should support Let's Encrypt out of the box, at least for standard builds. Can you share the exact error messages, as well as what the device is? (I'm wondering if it's mis-labelled and isn't really android 12, which I have seen happen. Or some OEM who decided to not ship X1). Depending on the exact problem, we can provide more precise advice.
Presently port 80 and 443 are filtered, I suggest Opening them.
$ nmap -Pn -p80,443 brettward.duckdns.org
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-13 15:18 PST
Nmap scan report for brettward.duckdns.org (220.127.116.11)
Host is up.
rDNS record for 18.104.22.168: cmbg-18-b2-v4wan-168328-cust698.vm17.cable.virginm.net
PORT STATE SERVICE
80/tcp filtered http
443/tcp filtered https
Nmap done: 1 IP address (1 host up) scanned in 3.44 seconds
Ah, the other thing I didn't mention is that it works OK from WiFi, but not when accessed from outside the LAN.
The browser says "This site can't provide a secure connection. brettward.duckdns.org send an invalid response". The app says various things on different days, some of them explicitly about a certificate error, others lots longer and more complicated.
No certificate called ISRG Root X1 is listed as either System or User "security certificates". My attempt to install it manually doesn't show up in either of these lists, but does show up in "User certificates" (apparently something different to "User security certificates").
So ... a problem with recognising the root certificate is just the latest theory in a long list of things investigated.
And ... I've just realised ... the person whose phone worked might have been connected to my WiFi, I need to check that. If he was then there may not be a difference between his phone and mine.
So it may be something else entirely and I'm just being misled by the failure of the phone to list the root CA.
Working OK from wifi but not working outside sounds like your problem is not with the certificate, but with something else interfering with your connection.
Are you port-forwarding or using a VPN to access from outside your network? Are you sure you're not mixing up HTTP and HTTPS ports?
It looks like all your common ports are closed
Using this online tool Open Port Check Tool - Test Port Forwarding on Your Router
The default Home Assistant port is 8123, and is usually plaintext. I see brettward.duckdns.org:8123 is open and listening on HTTPS. If an application tries to connect to it over HTTP, you'll get some sort of confusing error.
I think you have some sort of mixup of port forwarding and mixing protocols happening here.
Here's another test: Can you visit https://www.wikipedia.org/ successfully? Or even this forum? If so, this is not a problem with your device's support for Let's Encrypt.
No VPN. Not mixing up http and https. There are two levels of port forwarding - one in the cable modem and one in the router.
Port forwarding is at the TCP level, in both devices, I hope, so surely shouldn't care whether some higher level is HTTP or HTTPS? But I can have another look at that. (Tomorrow. I've had enough for today!)
If you try to go to https://brettward.duckdns.org:8123 what do you see? A Home Assistant login screen or an error message?
I get the HA login screen just fine. It has a valid TLS configuration, with the so-called "long chain" which should be supported by all android versions.
I can get to https://www.wikipedia.org on the phone. But on my desktop this is using a DigiCert CA ... ?
So if you get the login screen then the certificate and port forwarding are all working fine, so it is something on my phone that's broken ...
Ah, it looks like Wikipedia has issued both. I guess that's not a good test page then! https://valid-isrgrootx1.letsencrypt.org is our "official" test page.
It does seem like the problem is something on your phone but I'm not sure what it could be.
Could it be something else running like some sort of malware/phishing/adblocker software? They often cause confusing messages when they're blocking a page.