Please fill out the fields below so we can help you better.
My domain is: retok.ddns.net
I ran this command:
To renew the certificate I do the following:
1 - Renew Certificate
C:>java -jar acme_client.jar -a c:\Dados\WebServerCertificate\account.key -w c:\Dados\WebServerCertificate\ --command renew-certificate --csr c:\Dados\WebServerCertificate\retok.ddns.net.csr --cert-dir c:\Dados\WebServerCertificate\wellknown --log-dir c:\Dados\WebServerCertificate
{“status”:“ok”}
2 - Convert the openssl certificate to PKCS12
C:>c:\Programas\GnuWin32\bin\openssl.exe pkcs12 -export -in c:\Dados\WebServerCertificate\wellknown\cert.pem -inkey retok.ddns.net.key -out server.p12
Loading ‘screen’ into random state - done
Enter Export Password:
Verifying - Enter Export Password:
3 - Delete or rename the c:\Dados\WebServerCertificate\server.keystore
delete c:\Dados\WebServerCertificate\server.keystore
4 - Convert a PKCS12 to java keystore format
C:>keytool -importkeystore -deststorepass -destkeypass -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or
cancelled
5 - Import fullchains to the certificate
C:>keytool -import -alias root -keystore server.keystore -trustcacerts -file c:\Dados\WebServerCertificate\wellknown\fullchain.pem
Enter keystore password:
Certificate already exists in keystore under alias <1>
Do you still want to add it? [no]: y
Certificate was added to keystore
6 - Import the chains to the certificate
C:>keytool -import -alias tomcat -keystore server.keystore -trustcacerts -file c:\Dados\WebServerCertificate\wellknown\chain.pem
Enter keystore password:
Certificate was added to keystore
7 - Rename the old .keystore
rename C:\WINDOWS\system32\config\systemprofile.keystore .keystore_2017_05_07
8 - Copy server.keystore as .keystore to system profile
copy c:\Dados\WebServerCertificate\server.keystore C:\WINDOWS\system32\config\systemprofile.keystore
9 - Restart Tomcat server
It produced this output:
I already tested from several Androids and all returns the same error: CERT_AUTHORITY_INVALID (all my Android phones and tablets and I already tested with some friends of mine Androids equipments). I do not believe all the Androids are wrong configured! I believe the Android browsers do not recognise yet the Lets Encript as a valide certification authority. Do you have any idea when Android will recognise Lets Encript?
When I run browsers in Windows and Apple IOS machines everything seems to be working fine, only in Androids I receive this error.
In https://www.ssllabs.com says to my site “Chain Issues Incomplete”.
What is missing in my certificate? What I am doing wrong to have this problem with Android phones and ssllabs returns that error?
My operating system is (include version): Microsoft Windows XP - Home Edition - Version 2002 - Service Pack 2
My web server is (include version): Tomcat 8.0
My hosting provider, if applicable, is: Not applicable
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No