Cert for chimpquote.com failing on Android phones

ComputerCowboy · March 31, 2016, 7:50pm

I have many certs from Let’s Encrypt. All of them work fine except the ones for chimpquote.com
I don’t understand. I’ve tried a few subdomains there also. Promblem only shows up on Android phones I think.

pfg · March 31, 2016, 7:59pm

Your site is sending an outdated intermediate certificate. Let's Encrypt recently switched to a new intermediate certificate to fix issues for Windows XP users. The old intermediate certificate is called Let's Encrypt Authority X1, the new one is called Let's Encrypt Authority X3.

This has come up a couple of times for IIS and/or ACMESharp users. There's an open issue for ACMESharp here:

github.com/ebekker/ACMESharp

wrong issuer certificate

opened 08:13PM - 28 Mar 16 UTC

closed 11:48AM - 18 Jun 16 UTC

chomps1

After installing the certificate on my server I get the following problem: The s…erver certificate is signed by Issuer "Let's Encrypt Authority X3". The certificate in the chain is unfortunately "Let's Encrypt Authority X1". Is this a LetsEncrypt or an ACMESharp issue? The Powershell script for generating the certificate: `````` # set parameters $domain = "example.com" $certificiatePassword = "abcd1234" $email = "info@example.com" $vault = "D:\Vault\{0}\{1}" -f $domain, [guid]::NewGuid() $acmechallengedir = "C:\inetpub\wwwroot\.well-known\acme-challenge\" # include ACMEsharp Set-ExecutionPolicy Unrestricted Import-Module ACMEsharp.psd1 # make dir vault mkdir $vault d: cd $vault # initialize ACMEVault Initialize-ACMEVault -force -BaseURI https://acme-v01.api.letsencrypt.org/directory New-ACMERegistration -Contacts mailto:$email -AcceptTos New-ACMEIdentifier -Dns $domain -Alias dns1 $completedChallenge = Complete-ACMEChallenge dns1 -ChallengeType http-01 -Handler manual $challengeAnswer = ($completedChallenge.Challenges | Where-Object { $_.Type -eq "http-01" }).Challenge # save token to file $challengeFile = $acmechallengedir + $challengeAnswer.Token $challengeContent = $challengeAnswer.FileContent [System.IO.File]::WriteAllText($challengeFile, $challengeContent) # submit challenge $challenge = Submit-ACMEChallenge -Ref dns1 -Challenge http-01 Write-Host $challenge While ($challenge.Status -eq "pending") { Start-Sleep -m 500 # wait half a second before trying Write-Host "Status is still 'pending', waiting for it to change..." $challenge = Update-ACMEIdentifier -Ref dns1 Write-Host $challenge } #get certificate New-ACMECertificate -Identifier dns1 -Alias cert1 -Generate $certificateInfo = Submit-ACMECertificate -Ref cert1 While([string]::IsNullOrEmpty($certificateInfo.IssuerSerialNumber)) { Start-Sleep -m 500 # wait half a second before trying Write-Host "IssuerSerialNumber is not set yet, waiting for it to be populated..." $certificateInfo = Update-ACMECertificate -Ref cert1 } $CertFile = $vault + "\cert1-all.pfx" Get-ACMECertificate -Ref cert1 -ExportPkcs12 $CertFile -CertificatePassword $certificiatePassword #install certificate certutil -p $certificiatePassword -importpfx $CertFile Write-Host "All done, there's a cert1-all.pfx file in $vault with password $certificiatePassword" Write-Host "Import of certificate is completed" ```_ ``````

This post suggests deleting the old intermediate certificate fixes the issue:

You can verify the fix using SSL Labs (you'll want to get rid of "This server's certificate chain is incomplete. Grade capped to B.").

ComputerCowboy · March 31, 2016, 8:26pm

Any idea on how I can find and delete the old intermediate certificate on Azure? I am running a standard azure website in 64-bit mode with Let’s Encrypt site extension and web-job.

pfg · March 31, 2016, 8:31pm

Sorry, no experience with Azure.

DarkSteve · March 31, 2016, 10:08pm

You didn’t go into detail about what error you were getting (and I’m not familiar with chimpquote). Was it something like “SSL Initialisation Failed”? I had that with the ownCloud app on Android.

Turned out to be my ciphers. I was using the “Modern” ciphers suggested by Mozilla here: https://mozilla.github.io/server-side-tls/ssl-config-generator/, and everything worked fine except for that one specific android app.

Once I relaxed the ciphers, going to what Mozilla suggested a year or so ago, everything worked fine (and SSL Labs is still giving me an A+!)

ComputerCowboy · April 1, 2016, 1:37am

It just says "your connection is not private"
only on Android so far and only on these new certs. The older certs, like from last week, seem to work fine.

Not sure how I can fix this still. I definitely can’t seem to find any intermediate certs to delete. I can either delete all the certs I have or maybe there is something that can be done from powershell IDK.

ComputerCowboy · April 1, 2016, 1:52am

NET::ERR_CER_AUTHORITY_INVALID

that is what it reads on the phone screen

pfg · April 1, 2016, 1:58am

It’s definitely because of the wrong intermediate certificate, I’m just not sure how one would go about fixing this on Azure. Do they have some kind of (community) support that could help with replacing intermediate certificates?

ComputerCowboy · April 1, 2016, 2:43am

Well I am thinking about just dumping all the certs and reloading them. I have about a dozen in that resource group. I do have access to a fair amount of automation with their REST API and ActiveDirectory. I am running through the REST API as it relates to certs right now and seeing what sort of things I can do.

ComputerCowboy · April 1, 2016, 9:09pm

Well now I’ve really mucked everything up…
In an effort to fix this issue I ran a loop through all the certs that I had and deleted all the X1 certs then I went back through and got new certs for all the X1 certs that I deleted.

The result is now all my sites don’t work on FireFox and Android. They all behave like the one I was orginially trying to fix. Arg

Dobromyr · April 12, 2016, 9:04am

I have the same on IIS. On Android - NET::ERR_CER_AUTHORITY_INVALID

serverco · April 12, 2016, 9:32am

@Dobromyr - what’s your domain name ? This is usually because of the wrong intermediate certificate.

Dobromyr · April 12, 2016, 10:27am

1c-app.tvnet.if.ua - my domain. But I use old certificate now

serverco · April 12, 2016, 10:42am

OK. So you currently have an LE X1 certificate ( valid 6th March to 4th June )

It looks as if you are running Microsoft-IIS/7.5

When you issued a new certificate, it would have been an LE X3 and windows IIS tends to cache the old X1 certificate. the link How to clear the CryptNet cache in Windows 7 should help hopefully.

Dobromyr · April 12, 2016, 7:33pm

Thanks! Your link help me.
I delete old certificate.
I clean folder from instruction, delete with mmc Lets Encrypt Authority X1 from Intermediate Certification Authorities
Then import new X3 certificate. All work fine!