The operating system my web server runs on is (include version): Ubuntu 18.04
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.21.0
The setup is that I have a load balancer running HAProxy (which also provides the certs) in front of some other application servers.
I've been facing this issue for a while and haven't been able to resolve this issue..
I have an app that runs on some devices that are still running andoird 7 or earlier and they're unable to make requests to the server, showing an error saying that it is unable to create a secure connection.
After looking around apparently this is a side effect of the DST Root CA X3 expiring.
I've tried to fix this by updating the certbot client I use (it was previously 0.41 or something) and renewing my certs. Alas, the error on my apps persist.
Another possible solution to this issue is to ship the app with the new certificate and making the app use that instead (seen here). But this fix is for client side.
I was wondering if there are any other ways to fix this issue server side.. Or am I stuck with having to update the client?
Also I tried running my domain on the check your website server tool but I am unable to properly digest all the information given. Sorry if I missed anything.
The quickest resolve to this situation is to change the CA providing the cert (to another free and ACME friendly CA).
It is impossible to update all the out-of-date "(not-so) Smart Devices" out on the Internet.
Your server is serving the long certificate chain which is put in place as the default chain for compatibility with Android 7.1 and older.. So if Android 7.1 or older is not working properly, there might be something else going on besides the certificate chain.
Could you give us more information about the error presented by Android? Be as detailed as possible please.
That's not surprising, that "tool" is absolutely rubbish when talking about proper information presentation to the user I'm afraid..
No, it means to change to getting your cert from a different Certificate Authority that would support all the clients you need. Perhaps ZeroSSL or another free ACME compliant CA. See the Certbot docs for how to do that.
I'm not sure what the "something else going on" could possibly be..
The error I'm getting is as follows
HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: certificate has expired(handshake.cc:354))
We've been running the app on multiple devices on Android 5.1.1. The app is running Flutter/Dart.. We're using a http client called chopper, if that helps. That's all I've got on me right now, I'll try updating with details later. I don't have the detailed information on me.
I've been researching about Flutter/Dart and from the looks of it your code runs in a Dart-VM that ships its own BoringSSL. This BoringSSL version shipped with Dart seems to not have the "Android compatibility trick" included, hence the usual Android workaround doesn't apply here - Dart is not native Android.
As you've already figured out, there seems to be workarounds available for your Flutter/Dart clients. However, Google has apparently already fixed the bad behaviour in Dart and a fix is available since Dart 2.15+.
So from the looks of it, upgrading your app to use Dart 2.15+ would be my recommendation. Otherwise you will need to switch certificate authorities (as already mentioned).