Certificate not trusted

HTTPS works fine except on iPhone. Safari won't open the site and complains that it doesn't support TLS 1.2, but I've checked that it does indeed support TLS 1.2.

I went to SSL Checker to try to figure out the problem, and everything seems ok, except it also says: "Server certificate is not trusted by reputable certificate stores!"

The Certificate paths section has three steps, first two are ok, third one has an error:

"Extra download Not in trust store".

ISRG Root X1 (self-signed)
RSA 4096 bits / SHA256withRSA


Not sure about what to do. Thankful for any help.


My domain is: athletium.app

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: Hostwinds, VPS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): WinACME v2.1.16.1

Which version of iOS is the iPhone running?

Your certificate chain is fine, it's just using the modern Let's Encrypt chain instead of the "android compatible" one, this is normal on Windows servers.

The ssl checker you linked to is clearly not very good, use something else like SSL Server Test (Powered by Qualys SSL Labs)


Regarding TLS and Cipher suite compatibility, it looks OK but perhaps there is a problem with an older version of iOS. You can adjust your supported TLS and cipher suites without messing with the registry using the free tool Nartac Software - IIS Crypto then click 'Best Practise', apply that then restart the server.


Thanks webprofusion!

It's an iPhone 7 from last year, with iOS 14.2.

I cleared the browser cache again, and suddenly it works. Maybe Safari caches the certificate, or something similar. I'm confused, but now it works at least.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.