Certificate not trusted on android

exifeed · March 3, 2017, 10:14pm

Hello. I recently installed letsencrypt certificate on my website www.exifeed.com, that is hosting on digitalocean. It’s working fine on desktop, but it’s untrusted on android.
I’ve got apache 2.4.18
Here’s my configuration
SSLEngine on

SSLCertificateKeyFile /etc/letsencrypt/live/exifeed.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/exifeed.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/exifeed.com/fullchain.pem

What should I do to add support for android?

Osiris · March 3, 2017, 10:23pm

It probably has nothing to do with the Let’s Encrypt certificate nor your webservers TLS configuration, that’s all fine. See https://dev.ssllabs.com/ssltest/analyze.html?d=www.exifeed.com&hideResults=on&latest for an analysis of your HTTPS configuration: result = “A”.

What is not properly set up is your website itself: it contains a lot of non-HTTPS resources:

6 JPEG images;
1 PNG image.

A second run had 2 PNG’s and just 1 JPEG from a non-secure location. Seems to vary.

See https://www.whynopadlock.com/ and enter your website for more information.

exifeed · March 3, 2017, 10:33pm

Thanks for answer, but I don’t think it has something to do with images. I just removed content from page except menu and it’s still not working.

Osiris · March 3, 2017, 10:34pm

What's the error you're getting then?

exifeed · March 3, 2017, 10:41pm

When I try to open it in browser it says “couldn’t establish secure connection”.

Osiris · March 3, 2017, 10:42pm

Screenshot? Which browser? Which Android version?

exifeed · March 3, 2017, 10:43pm

Default browser on Samsung Galaxy 3, Android 4.3

Osiris · March 3, 2017, 10:48pm

Ah, yes. If you look at the SSL Labs test page I posted above, you can see:

Android 4.3 Server sent fatal alert: protocol_version

That's because of this server configuration:

TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No

This is good for security! But unfortunately, not very well for backwards compatibility

You can see from the Android 4.3 client page it needs at least "TLS 1.0".

Now, how to fix this? Well, your Apache configuration somewhere has the SSLProtocol directive. For Android 4.3 to work, this should include TLSv1. The default Let's Encrypt setting is: SSLProtocol all -SSLv2 -SSLv3 which also includes TLSv1.

exifeed · March 3, 2017, 10:53pm

Do I need to add TLSv1 to “all -SSLv2 -SSLv3”?

Osiris · March 3, 2017, 10:54pm

That shouldn’t be necessary if you already have all -SSLv2 -SSLv3.

But if you had all -SSLv2 -SSLv3, you wouldn’t have a problem so most likely you’ve got something else configured.

exifeed · March 3, 2017, 10:57pm

I had “all -SSLv2 -SSLv3 - TLSv1”. I removed TLSv1 and restarted apache2, but nothing changed so far.

Osiris · March 3, 2017, 11:00pm

SSLProtocol all -SSLv2 -SSLv3 really should work. Did you edit the correct configuration file? Are there more SSLProtocol directives present somewhere?

exifeed · March 3, 2017, 11:02pm

There is line in this file
Include /etc/letsencrypt/options-ssl-apache.conf
That’s the file that I changed . May be there is other file that I might need to change?

Osiris · March 3, 2017, 11:02pm

The only one who can check that, is you

exifeed · March 3, 2017, 11:03pm

You’re right, I just don’t know where to look.

Osiris · March 3, 2017, 11:26pm

grep -Ri SSLProtocol /etc/apache2/

exifeed · March 3, 2017, 11:35pm

It returned
/etc/apache2/mods-available/ssl.conf: SSLProtocol all -SSLv3
/etc/apache2/mods-enabled/ssl.conf: SSLProtocol all -SSLv3
What SSLCipherSuite should I use to support TLSv1?

Osiris · March 3, 2017, 11:44pm

That should be fine, strange.

And you can confirm that /etc/letsencrypt/options-ssl-apache.conf contains SSLProtocol all -SSLv2 -SSLv3?

exifeed · March 3, 2017, 11:47pm

Yes
Can browser cache it?
I’ve done test again, now there is now error for android but overall rating changed from A to B.

Osiris · March 3, 2017, 11:50pm

I don’t know, but I do know it should work now:

Before:

osiris@desktop ~ $ openssl s_client -tls1 -connect exifeed.com:443
CONNECTED(00000003)
139882517079696:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1472:SSL alert number 40
139882517079696:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1488581927
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
osiris@desktop ~ $

Now:

osiris@desktop ~ $ openssl s_client -tls1 -connect exifeed.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = exifeed.com
verify return:1
---
Certificate chain
 0 s:/CN=exifeed.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCzCCA/OgAwIBAgISAyDLSiKzKkraIS2D+aANBbHrMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMDIxOTUzMDBaFw0x
NzA1MzExOTUzMDBaMBYxFDASBgNVBAMTC2V4aWZlZWQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tzRTppnc6qa63HCZio1MoMC7Jqaib9AWSxW
scX/I+iP7Gykm8+rXSqTmAeWzRm1dwR8W3pGssAs0Nj11+m/hfGe+LFyakSFGV74
2vxFDTJ9BbedyWy4FI5R/8ucxr9RgN3opdGvTUZl4g1UVJ9IvCEG/t2hajMb06pn
wWu5I9ogtMgf6NXBXBJW1nCrnctc0zglw5FGib1o+8c47jnu59n6rebWkRHi0gat
o1t9cAoprhnDMCuDcVavphEhngqfWAHSUfgYzqlSemjG+ZnEmvi6EVxLMap2V2UC
agvOV7dbSaIp40L8WSyMiBk4irl61WWAQR4e03VLmSGTE3u3iQIDAQABo4ICHTCC
AhkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBS3uNiwGufEsfDbjZPwYCI/bJIlQjAf
BgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEFBQcBAQRkMGIw
LwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcv
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAnBgNVHREEIDAeggtleGlmZWVkLmNvbYIPd3d3LmV4aWZlZWQuY29tMIH+BgNV
HSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcC
ARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGb
VGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5
aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0
aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcv
cmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAE2mUAZVEudjEyof2ZYwuTBe
Rz+z4gjKP/BDeQfFol7DXCFEfFH0pCyZVv7n8TjLpkLlaA4kDfpBPRJpBEzpQ+8q
Po/jyd3MSMf+P7CzJSBVOvCRKw/stbBzs9/NFCec10NOwKf9T2lKQG7aPYwKT3qT
fDvjKk1qosM5Y9lu1CbvKdpYIpQmqDCbhvvTC1sdutVQrwUwNkZ46e3+JKR+8E7s
r9ApHNtsB7jrkBA+8GsMXV2WmPPm2OZ2DcPB556MAmvsnqOvKvC7Iz6joobxouUe
C/3Lomxj2TMuuz6W5uwQwSSXR2ecOlyfNxVwDW2raer3GQVuewFqIDOFz0zXwuE=
-----END CERTIFICATE-----
subject=/CN=exifeed.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2978 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-RC4-SHA
    Session-ID: 7EDE6209E6E3723FExxx9AD4AFFAA215FCA506C75C5832E
    Session-ID-ctx: 
    Master-Key: C20FB1F554F9DECFDC9956F0425306xxx54E5209E976EB49D085753D8F78
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1488584873
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
osiris@desktop ~ $