Cert for chimpquote.com failing on Android phones


#1

I have many certs from Let’s Encrypt. All of them work fine except the ones for chimpquote.com
I don’t understand. I’ve tried a few subdomains there also. Promblem only shows up on Android phones I think.


#2

Your site is sending an outdated intermediate certificate. Let’s Encrypt recently switched to a new intermediate certificate to fix issues for Windows XP users. The old intermediate certificate is called Let's Encrypt Authority X1, the new one is called Let's Encrypt Authority X3.

This has come up a couple of times for IIS and/or ACMESharp users. There’s an open issue for ACMESharp here:

This post suggests deleting the old intermediate certificate fixes the issue:

You can verify the fix using SSL Labs (you’ll want to get rid of “This server’s certificate chain is incomplete. Grade capped to B.”).


#3

Any idea on how I can find and delete the old intermediate certificate on Azure? I am running a standard azure website in 64-bit mode with Let’s Encrypt site extension and web-job.


#4

Sorry, no experience with Azure. :cry:


#5

You didn’t go into detail about what error you were getting (and I’m not familiar with chimpquote). Was it something like “SSL Initialisation Failed”? I had that with the ownCloud app on Android.

Turned out to be my ciphers. I was using the “Modern” ciphers suggested by Mozilla here: https://mozilla.github.io/server-side-tls/ssl-config-generator/, and everything worked fine except for that one specific android app.

Once I relaxed the ciphers, going to what Mozilla suggested a year or so ago, everything worked fine (and SSL Labs is still giving me an A+!)


#6

It just says "your connection is not private"
only on Android so far and only on these new certs. The older certs, like from last week, seem to work fine.

Not sure how I can fix this still. I definitely can’t seem to find any intermediate certs to delete. I can either delete all the certs I have or maybe there is something that can be done from powershell IDK.


#7

NET::ERR_CER_AUTHORITY_INVALID

that is what it reads on the phone screen


#8

It’s definitely because of the wrong intermediate certificate, I’m just not sure how one would go about fixing this on Azure. Do they have some kind of (community) support that could help with replacing intermediate certificates?


#9

Well I am thinking about just dumping all the certs and reloading them. I have about a dozen in that resource group. I do have access to a fair amount of automation with their REST API and ActiveDirectory. I am running through the REST API as it relates to certs right now and seeing what sort of things I can do.


#10

Well now I’ve really mucked everything up…
In an effort to fix this issue I ran a loop through all the certs that I had and deleted all the X1 certs then I went back through and got new certs for all the X1 certs that I deleted.

The result is now all my sites don’t work on FireFox and Android. They all behave like the one I was orginially trying to fix. Arg


#11

I have the same on IIS. On Android - NET::ERR_CER_AUTHORITY_INVALID


#12

@Dobromyr - what’s your domain name ? This is usually because of the wrong intermediate certificate.


#13

1c-app.tvnet.if.ua - my domain. But I use old certificate now


#14

OK. So you currently have an LE X1 certificate ( valid 6th March to 4th June )

It looks as if you are running Microsoft-IIS/7.5

When you issued a new certificate, it would have been an LE X3 and windows IIS tends to cache the old X1 certificate. the link How to clear the CryptNet cache in Windows 7 should help hopefully.


#15

Thanks! Your link help me.
I delete old certificate.
I clean folder from instruction, delete with mmc Lets Encrypt Authority X1 from Intermediate Certification Authorities
Then import new X3 certificate. All work fine!