On some android devices still not working, see screenshot
My domain is: remotes.com.uy running on nginx.
How can I trigger a trusted root certification authority updates inside the Android OS so that it starts using the ISRG Root X1 root?
Several customers affected, please help!
What versions of Android are those users using? Usually roots are updated by updating the operating system as a whole.
openssl s_client -connect www.remotes.com.uy:443 | egrep 'subject|issuer'
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.remotes.com.uy
verify return:1
subject=CN = www.remotes.com.uy
issuer=C = US, O = Let's Encrypt, CN = R3
It looks like you're serving what we call the "short chain," which has two certificates. For compatibility with old Android devices, you need to be serving the "long chain," what has three certificates. Normally your ACME client should set up the "long chain" by default, since that's the one Let's Encrypt offers by default. Have you changed any default settings in your ACME client, like the --preferred-chain flag for Certbot?
I set the ISRG Root X1 as preferred because I have tried plenty of things an nothing was working (for nother problem in windows that I could solve)
How do I revert it to a long chain?
The android version is 7.0
Edit /etc/letsencrypt/live/<your site>/fullchain.pem. It presumably has one certificate in it. At the bottom, add the contents of: https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem (from Chain of Trust - Let's Encrypt). Save and restart your server.
Once you've done that, run:
openssl s_client -connect www.remotes.com.uy:443 | egrep 'subject|issuer'
You should see a longer list of certificates than the one I shared above.
There I just ran the command without the --preferred-chain "ISRG Root X1"
And restarted.
Solved!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.