Android sys: ERR_CERT_AUTHORITY_INVALID


#1

Please fill out the fields below so we can help you better.

My domain is: inspections.e3bldg.com I get the same result with https://valid-isrgrootx1.letsencrypt.org/

I ran this command: Tried to access the website via ANDROID chrome browser or App API and I vet certificate invalid (the chain seems to be incorrect)

It produced this output:

My operating system is (include version): android 5

My web server is (include version): Apache

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): virtualmin


#2

How did you install the certificate? Because it’s probably not automatically installed by certbot.

Your Apache is serving two intermediate certificate: both incorrect ones, for Android that is. It’s sending the X1 intrrmediate signed by DST root. The correct root, but the incorrect intermediate (X1 isn’t used any more…) and the X3 intermediate signed by ISRG root. The correct intermediate, but (for Android) the incorrect root. You’d want the X3 signed by DST root :slight_smile:


#3

copied the content of: https://letsencrypt.org/certs/isrgrootx1.pem.txt to my ssl.ca file


#4

The ISRG root is not yet trusted by browsers in general. This is part of ISRG’s long-term strategy and the process will take years, both to complete the root program approval process with each root program, and to wait until old browsers that don’t contain the ISRG root stop being used in the wild.

@Osiris is right: the only certificate chain that is widely trusted by browsers today that you can use with currently-being-issued Let’s Encrypt certificates is the X3 intermediate signed by DST. That is available at

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Most people installing a cert should never have to download anything at all from https://letsencrypt.org/certs/, because Let’s Encrypt clients normally handle this for you. For example, if you used Certbot, you have a file fullchain.pem which already contains this chain as provided by the CA at the time your cert was issued.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.