Recently I faced to a problem - on some of Android devices (primary older one like Galaxy Note 3 with Android 5.0) your certificate is not trusted any more throwing following exception:
Handshake Exception Handshake error in client (OS Error: Certificate_Verify_Failed: unable to get local issuer certificate (handshake.cc:354))
Chrome browser on these devices does not recognize the certificate as well but interesting is that on same device Samsung’s browser works fine!
You’re sending the intermediate certificate signed by the ISRG Root X1 root certificate in your certificate chain. While this root certificate is accepted in many modern root certificate stores, it isn’t in older stores like your old Android versions.
As I’m nub in SSL stuff, could you please point me how I can install this intermediate certificate while I am on shared hosting at Mocha w/o root access?..
Then it’s something you’ll have to discuss with your hosting provider. Ask them if they could change the intermediate certificate signed by the ISRG root to the intermediate certificate signed by the IdenTrust (DST Root CA 3) root.
I had an exchange with Mochahost support, they believe that everything is ok with the certificates on the server side. As a prove they send me this report:
Well, they do have a point there isn’t anything wrong with their setup. It’s just less suitable for you because they chose to use the “state of the art” root certificate, which is only accepted in recent root stores.
There is also nothing wrong with choosing the “older” DST Root CA 3 intermediate certificate. But that one is broader accepted, for example, in older Android versions.
I am however curious about why they decided to use the intermediate cert signed by the ISRG root. Because there is nothing wrong with the “older” DST Root. And while it expires relatively soon, that is still more than a year away (August 2021!).
There are even more arguments to use the DST root:
Normally, the ACME server sends not only the end leaf certificate requested by the user, but also the intermediate certificate. Let’s Encrypt currently still sends the intermediate signed by the DST Root CA X3 certificate, NOT the newer ISRG root signed intermediate;
Let’s Encrypt uses the DST Root on their own websites.
This all improves compatibility with older clients like your Android phone.
So to summarize: there isn’t anything wrong with their choice, it’s more that their choice is strange and leads to less compatible websites when there isn’t really a good reason to do so.
ok, I see. my problem is, Mocha is convinced, they are all fine, I even send them the link to our conversation here…
Is there any way you issue the proper intermediate certificate for my case and I just forward it to them and ask for installation?.. probably it will be the easiest way to overcome the issue.
The intermediates can just be swapped. Both intermediates (i.e., signed by the DST Root CA3 and the one signed by the ISRG root) have the same key pair "in them". So swapping out the intermediates can be done without requiring a new certificate for your server.
This is WAY outside the Let's Encrypt wheelhouse, and I'm not saying you should do this, but another option is to update your Android device with a newer OS version.
For example, LineageOS supports a few models of the Galaxy Note 3, and would effectively update you to Android 9 (Pie). That would make the current problem go away.
Of course, that may not be practical for your situation, and you may not be comfortable replacing the OS on your phone. But it would extend the useful life of the device and avoid a few more future issues as Android 5 is less and less supported over time.
In fact there is nothing wrong sending both the two signing certificates at the same time. That would be the most stable set-up. (It is somehow would still work after August 2021, even is they do not update the certificate chain until that time.)
