Android Browser Showing Security Risk or Connection Not Secured

Orsiris, you wrote"^^ fixed that for you"

What is it you fixed? I have not got solution yet!

1 Like

See my quote and compare it to the original of @Nummer378. I fixed an error in his explanation about SNI.

3 Likes

I see four posts above offering you solutions.

3 Likes

It is not clear to me how to fix the problem. We cannot move away from existing webserver. I am looking for a fix for IIS server with step by step instructions.

1 Like

Maybe you can reread the post and find what you are looking for:

3 Likes

Hello rg305,

Followed instructions mentioned in the article and downloaded ISRG Root X1.der and installed certificate with default settings and rebooted. It looks like problem is fixed for Android 7.0.
However few strange things were observed.
In first attempt of ISRG Root X1 certificate installation, it did not fixed the problem so made two more attempts, rebooted and started seeing changes on few sites.

Chrome browser on android 7.0 was intermittently showing site secured and unsecured when refreshed.

After few 30 minutes, it is identifying certificate for sites but can not trust that it will stay as is for long. I will monitor sites for few more days and hope it will not repeat again.

I have few more questions.

  1. There are two sets of certificates for each site. One set certificate name begins with [IIS] and another set certificate name begins with [Manual]. All sites are now assigned certificates whose name begins with [Manual] I guess certificates starting with [IIS] should now be removed to keep certificate list organized. What do you think. Is this good idea?

  2. IIS server has feature called "Automatic Rebind of Renewed Certificate". I guess it would be good to keep this feature turned on. Any suggestion?

1 Like

The prefixes on the cert names are likely generated by your ACME client. Perhaps I missed it, but I don't see that you mentioned what client you're using to obtain these certs. In any case, I'd be worried that a cert labeled [Manual] would not auto renew. Whether you remove the old certs is a personal preference. I'd probably wait until after your next renewal to make sure everything is working properly.

This feature (sadly) only works with certs obtained using Windows' native autoenrollment. There's no reason to keep it on, but it also won't hurt anything if you do. All it does is create a scheduled task that is triggered by a specific event log entry the autoenrollment process writes when it does a renewal.

3 Likes

Win-acme client application is used to auto-renew certificates.

1 Like

Hey! It is back again.
Solution applied as mentioned in above post ( ISRG Root X1 certificate installation) does not fixed. Android browser 7.0 is showing invalid certificate and security warning, again!

Is there a permanent solution?

1 Like

I think there is basic problem in SSL certificate itself.

1 Like

Highly unlikely.
Please be more forthcoming with details and screenshots of errors/messages.
[to help you better/faster, we need to see what you see]

1 Like

Attached screen shot is of Andriod 7.0 mobile phone on Chrome browser.




1 Like

Which version of Chrome?

1 Like

I've already stated this in the very beginning of this thread, but to reiterate:

Your issue is that your IIS server is not sending the long chain (but the short chain). The short chain is known to break Android < 7.1.1.

IIS servers always send the short chain (because the long chain involves an expired certificate IIS tries to avoid). Exceptions are when the system does not trust ISRG Root X1, or is unaware of the expiry of DST Root CA X3.

You can try applying workarounds (e.g distrusting ISRG Root X1) in order to get it to build the long chain - I've already posted that workaround above - but that may come with side effects, such as no longer being able to connect to the Let's Encrypt API (this depends on some factors though). It is in general not recommended.

Otherwise you could consider putting a reverse proxy in front of your IIS, that is capable of sending the long chain.

It looks to me like you have installed ISRG Root X1 on the server. That won't do anything, you would have to install that root on every single Android device connecting to you. Also note that its not always possible to reliably change the trust store on Android manually (some apps/versions will only ever use the system trust store).

3 Likes

Its is Chrome browser 96.0.4664.45 on Android 7.0

1 Like

Hello Nummer378,
For a moment let us assume your argument is right that IIS servers always send the short chain then it should happen to all certificates issued by other issuers which I do not see it happening. This is happening only to Lets' Encrypt issued certificates. Why to point finger at IIS server?

Secondly, as I mentioned, the workaround (e.g distrusting ISRG Root X1) has not lasted longer and the problem is back again.

Thirdly, reverse proxy in front of your IIS is not a viable and good option.

Fourthly, installing a root on every single Android device connecting to website is not practical.

I think problem is in the certificate itself or components related to its validation. This was not happening before Sep 2021 and it does not happen on certificates issued by other issuer and this behavior is appearing only with LET'S Encrypt certificate in and after Sep 2021.

I am very much fond of Let's Encrypt certificates and hopefully, some patches or fixes on the validation system would be released or applied.

1 Like

I can browse to https://www.ashiro.ca/
Using:

  • Android 8.0.0:
    Chrome 92.0.4515.115
    Firefox 90.1.3

  • Android 4.4.2:
    Chrome 81.0.4044.138
    Opera 58.4.2878.56737

Unfortunately, I don't have an Android 7

1 Like

I know Android 7.0 might not be available to you and you won't be able to replicate the warning message. This is strange behavior. Therefore, I posted pictures of "Invalid Certificate" warning displayed on Android 7.0.

There is silence, so we presume there is basic problem in SSL certificate itself.

1 Like

That is a bad presumption.
More than 230M sites are secured with such certificates.
I doubt you have found a problem with the cert that no one else can find.

2 Likes

You have been given the answer repeatedly by different people in various ways. You have not been able to understand it. Not further silence, there is no further point to make.

3 Likes