Android Browser Showing Security Risk or Connection Not Secured

I've already stated this in the very beginning of this thread, but to reiterate:

Your issue is that your IIS server is not sending the long chain (but the short chain). The short chain is known to break Android < 7.1.1.

IIS servers always send the short chain (because the long chain involves an expired certificate IIS tries to avoid). Exceptions are when the system does not trust ISRG Root X1, or is unaware of the expiry of DST Root CA X3.

You can try applying workarounds (e.g distrusting ISRG Root X1) in order to get it to build the long chain - I've already posted that workaround above - but that may come with side effects, such as no longer being able to connect to the Let's Encrypt API (this depends on some factors though). It is in general not recommended.

Otherwise you could consider putting a reverse proxy in front of your IIS, that is capable of sending the long chain.

It looks to me like you have installed ISRG Root X1 on the server. That won't do anything, you would have to install that root on every single Android device connecting to you. Also note that its not always possible to reliably change the trust store on Android manually (some apps/versions will only ever use the system trust store).

3 Likes