CA Certificate Not Working On Andriod Browsers

airmikec · 2019-01-20 17:15:58 UTC

I have CA certificate from Let’s Encrypt, I can get to my domain fine from Windows 10 and Mac. All domain variants forward to https://www.example.com. But when I try and access the domain from my phone (Android v: 8.0.0) Samsung S7, using Chrome, I get this really long message. I have already accepted the certificate, so I can’t tell you the exact message, but it’s something like “Couldn’t verify certificate, but it appears valid, gives a brief description of what a CA certificate is suppose to do. press OK to accept certificate” That is the abridged version of the nearly full screen message that appears. I had a friend try it from his phone last night and he is getting the same message.

Now I am not the smartest guy in the world so I need some step by step help because I have never had to troubleshoot a certificate before so I don’t know where any of this stuff is, and what a cert.pem is or anything else really. I have read something that since I have a SAN Cert I might need to break up into 2 smaller files one being a cert.pem and some other. pem file. I also read something like Microsoft has this trick where it will reverse trace a CERT to verify it’s authenticity. I don’t know. I was hoping someone could help me understand how to fix this problem.

My domain is: https://www.example.com

I ran this command: I went to: https://www.example.com

It produced this output: It does a large popup saying it couldn’t verify the key or something like that, and it give me the option to install.

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): Windows Server 2008 R2, completely updated. I have SSL and TLS available.

My hosting provider, if applicable, is: N/A

mnordhoff · 2019-01-20 17:20:18 UTC

What’s the domain name?

airmikec · 2019-01-20 17:48:42 UTC

Unfortunately, I don’t feel comfortable giving out the domain name. If someone needs it, then I would be happy to email it to them. That way I can roughly track who knows the domain and who doesn’t. While yes this is a public website, I am still figuring out some things, and I don’t want to worry about hackers and all of that crap instantaneously at the launch of my website. While I do have security and everything else built, I am only human and I could have made errors and I need to go back and look for those errors. I hope you understand. If you want to email please feel free to do so at airmikec@yahoo.com.

tdelmas · 2019-01-20 18:02:09 UTC

You can use https://www.ssllabs.com/ssltest/ to test your configuration (It has an option “Do not show the results on the boards”). Does that test indicate “chain issues” ?

rg305 · 2019-01-20 23:04:41 UTC

Try checking your domain at: https://www.ssllabs.com/ssltest/index.html

rg305 · 2019-01-21 03:52:40 UTC

Can you show the server cipher preference order?

airmikec · 2019-01-21 06:13:56 UTC

So I am not sure if I understand your question or not, but I hope this answers your question, I found this for certificate path, it’s the same path for Mozilla, Android, Windows, etc.

www.example.com
Let’s Encrypt Authority X3
DST Root CA X3

Is that what you were looking for?

rg305 · 2019-01-21 06:16:31 UTC

The output SSLLabs shows for ciphers and in their preferred order.
Cut and paste a picture of that part of the output.
[without any domain names]

rg305 · 2019-01-21 17:35:45 UTC

The TLSv1.2 looks to be in the right order.
But does contain DHE with 1024 bits - which will fail with most newly secured systems.
THIS IS WHERE YOU MAY BE RUNNING INTO PROBLEMS.
[if DHE is not required, you should consider removing those ciphers]

TLSv1.0 is no longer recommended - if not needed consider removing it.

SSLv3 is very BAD and should be removed.

SSLv2 is extremely BAD (impossible to secure) and MUST be removed ASAP.

[EDIT: RC4 is also “broken” and should be removed.]

tdelmas · 2019-01-21 17:47:49 UTC

Another point to look for in the report is the line # Not simulated clients (Protocol mismatch) (Which may be folded) followed but the list of client that will fail to contact your website. (Ex. IE 6 / XP is expected)

airmikec · 2019-01-21 18:06:03 UTC

Okay… So TLS v1.0 and SSL v2 and SSL v3 is on my list to get rid of. That is why I didn’t want to give out my domain name. However, I am curious how do I get rid of the DHE from my ciphers?

Thank you for all of your help. I sincerely, appreciate it.

airmikec · 2019-01-21 18:08:15 UTC

Thank you for the tip tdelmas, I will look into that as well. I will probably have questions when I start to tackle that problem and may need your advice if you don’t mind.

-Mike

rg305 · 2019-01-21 18:11:06 UTC

This is “similar” for most web servers:
Look for a statement with “SSLCipherSuite” or “ssl_ciphers” or something close to that.
Read up on the proper SYNTAX and modify the string to exclude DHE.
Or web search secure default settings for your web server software.

airmikec · 2019-01-21 18:28:49 UTC

rg305, thank you so much for all of your help. I will do that research later today and if I have questions I will probably post tomorrow. I have a few things I need to do on my website today, and work on my venture capital paper. Again, thank you so much.

-Mike Herder

rg305 · 2019-01-21 18:58:27 UTC

One thing that works really well for Windows systems is IISCrypto.
For 'nix systems, you need to read on the specific web server in use.

airmikec · 2019-01-21 19:40:07 UTC

Sorry everyone, I need to start deleting posts. A member of the community has published my common name and alternative names to the web. I don’t know how in the heck he figured them out, but I am now deleting threads that has data from https://www.ssllabs.com. Again thank you all for your advice, I am sure you have pointed me in the right direction. If I have further questions I will get back with you in the next day or 2.

-Mike

rg305 · 2019-01-22 01:21:06 UTC

Someone correct me if I am wrong:
Private DM messages are not visible to the web.