Cert_Authority_Invalid on Android After 10/01/2021

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://nextcloud.willedds.freeddns.org:8443

I ran this command: Accessed the webpage from Google Pixel 4XL running Android 11 build RQ3A.210905.001 with Google Chrome version 94.0.4606.61

It produced this output: NET:ERR_CERT_AUTORITY_INVALID

My web server is (include version): pfSense running HAProxy and ACME. It is proxying back to two web applications that are not running SSL

The operating system my web server runs on is (include version): FreeBSD 12.2

My hosting provider, if applicable, is: Home Server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): ACME 0.6.10 and HAProxy 0.61_3

Issue:
I have a weird issue that I believe is related to Android. I can access my site above with Windows and Ubuntu desktops and it says I have a valid certificate that has ISRG Root X1 as its intermediate CA. However when I access the same site from my Android phone, I get an invalid Cert authority error and it says its intermediate CA is DST Root CA X3. Since DST Root CA X3 has now expired (in the last 2 or 3 days), I believe this is the issue .However, I don't know why Google Chrome on Android isn't showing ISRG Root X1 instead and accepting it.

Is there a way in Android to tell it to forget the cert from a server and reload it or force it to get the cert from ISRG Root X1 instead of the one from DST Root CA X3? Or is there another way to address this issue?

Hi @wre136 welcome to the LE community forum

There is something outdated about the chain being used:

---
Certificate chain
 0 s:/CN=*.willedds.freeddns.org
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

That trust path hasn't been provided by LE since May 2021. (and is now expired)
Either:

• the ACME client needs an update
• your process has hardcoded a chain that is no longer valid (hardcoding these things will always lead to problem down the road - nothing lasts forever)

As per pfSense, ACME is updated.

For your results, how did you check that? Is that from another Android device or did you find that with a desktop OS? The only reason I ask is that isn't what my desktops are getting for a chain. I'm also still at a loss for how my pFsense router is passing out two different certs when I only have one. Additionally, I renewed my cert manually yesterday and both on Android and on the Desktops, it showed the new expiry period.

As said before, this is odd.

Problem resolved!

I cannot say what really fixed it but here is what I did:

1. For ACME, I only had my production account key. I added a staging account key.

2. Under my certificate configuration, I only had my wildcard entry for the domain. I added an entry under the wildcard for the root of the domain so that it is in the list as well.

3. In pfSense under Cert Manager, I deleted all the CA certs produced from ACME. This includes the two staging CA certs and the two production certs. [ALSO NOTE: I had a 5th cert here that looked like the one from DST Root CA X3 that expired 3 days ago! Deleted that as well]

4. I went back to ACME and issued a new cert using the staging account. I still had the same issue when I checked the cert from my android device but at least now it showed the new staging CA root in the cert info.

5. I switched the cert to use the production account key and reissued. Now it works! I shows the chain to be R3 -> ISRG Root X1.

Again, not sure what change I made here that mattered but I it now working like it should. Interested to see if this will change and have issues again in 90 days.

Sounds like this did the trick:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.