Android browsers problem and chain issues on Tomact 8.x - Incomplete Certificate Chain

Please fill out the fields below so we can help you better.

My domain is: retok.ddns.net

I ran this command:
To renew the certificate I do the following:
1 - Renew Certificate
C:>java -jar acme_client.jar -a c:\Dados\WebServerCertificate\account.key -w c:\Dados\WebServerCertificate\ --command renew-certificate --csr c:\Dados\WebServerCertificate\retok.ddns.net.csr --cert-dir c:\Dados\WebServerCertificate\wellknown --log-dir c:\Dados\WebServerCertificate
{“status”:“ok”}

2 - Convert the openssl certificate to PKCS12
C:>c:\Programas\GnuWin32\bin\openssl.exe pkcs12 -export -in c:\Dados\WebServerCertificate\wellknown\cert.pem -inkey retok.ddns.net.key -out server.p12
Loading ‘screen’ into random state - done
Enter Export Password:
Verifying - Enter Export Password:

3 - Delete or rename the c:\Dados\WebServerCertificate\server.keystore
delete c:\Dados\WebServerCertificate\server.keystore

4 - Convert a PKCS12 to java keystore format
C:>keytool -importkeystore -deststorepass -destkeypass -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or
cancelled

5 - Import fullchains to the certificate
C:>keytool -import -alias root -keystore server.keystore -trustcacerts -file c:\Dados\WebServerCertificate\wellknown\fullchain.pem
Enter keystore password:
Certificate already exists in keystore under alias <1>
Do you still want to add it? [no]: y
Certificate was added to keystore

6 - Import the chains to the certificate
C:>keytool -import -alias tomcat -keystore server.keystore -trustcacerts -file c:\Dados\WebServerCertificate\wellknown\chain.pem
Enter keystore password:
Certificate was added to keystore

7 - Rename the old .keystore
rename C:\WINDOWS\system32\config\systemprofile.keystore .keystore_2017_05_07

8 - Copy server.keystore as .keystore to system profile
copy c:\Dados\WebServerCertificate\server.keystore C:\WINDOWS\system32\config\systemprofile.keystore

9 - Restart Tomcat server

It produced this output:
I already tested from several Androids and all returns the same error: CERT_AUTHORITY_INVALID (all my Android phones and tablets and I already tested with some friends of mine Androids equipments). I do not believe all the Androids are wrong configured! I believe the Android browsers do not recognise yet the Lets Encript as a valide certification authority. Do you have any idea when Android will recognise Lets Encript?
When I run browsers in Windows and Apple IOS machines everything seems to be working fine, only in Androids I receive this error.
In https://www.ssllabs.com says to my site “Chain Issues Incomplete”.
What is missing in my certificate? What I am doing wrong to have this problem with Android phones and ssllabs returns that error?

My operating system is (include version): Microsoft Windows XP - Home Edition - Version 2002 - Service Pack 2

My web server is (include version): Tomcat 8.0

My hosting provider, if applicable, is: Not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi @arjava,

Use the fullchain.pem instead of cert.pem

c:\Programas\GnuWin32\bin\openssl.exe pkcs12 -export -in c:\Dados\WebServerCertificate\wellknown\fullchain.pem -inkey retok.ddns.net.key -out server.p12

There is no need to import again the fullchain.

As far as I know you shouldn't import the chain too.

Cheers,
sahsanu

1 Like

Hi Sahsanu,

I implement your recomendations and averything works fine.

ssllabs site do not indicate any error anymore.

Android equipments do not indicate the certificate error anymore also.

Thank you very much,

Best regards

António Rodrigues

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.