ERR_CERT_AUTHORITY_INVALID since a few days on Android 6

Hi there, since a few days Android 6 (SIX) is having trouble with the lets encrypt certificate.
Runs fine on windows and newer android versions. I tested some changes to the config, but that did not work.

Android error is ERR_CERT_AUTHORITY_INVALID.
I see the the tipsa.defcon.eu cert and the R3 in the browser info.

current confg, including other stuff i tested:

SSLCertificateFile /etc/ssl/keyhelp/letsencrypt/defcon/tipsa.defcon.eu/complete.pem
SSLCertificateChainFile /etc/ssl/keyhelp/letsencrypt/defcon/tipsa.defcon.eu/chain.pem

#SSLCertificateFile /etc/ssl/keyhelp/letsencrypt/defcon/tipsa.defcon.eu/cert.pem
#SSLCertificateKeyFile /etc/ssl/keyhelp/letsencrypt/defcon/tipsa.defcon.eu/private.pem
#SSLCertificateChainFile /etc/ssl/keyhelp/letsencrypt/defcon/tipsa.defcon.eu/fullchain.pem

My domain is:

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is:
KeyWeb

I can login to a root shell on my machine ():
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
KeyHelp

@manton0 , welcome to the community!

You may want to read this:

That is the very likely reason of encountering the issue you mentioned.

@bruncsak thanks for the welcome!

yeah, that announcement clarifies the problem. in the linked discussion i can see, that i have to configure my apache to serve the cross signed cert.

so this will be the (retired) Cross-signed by IdenTrust Let’s Encrypt R3?

is this just an additional SSLCertificateFile in the conf?

No. Your ACME Client (KeyHelp?) must select the alternate longer chain. In the past the longer chain was the default.

This longer alternate chain will only be available until Jun6 anyway.

You will have to ask your hosting provider about selecting the alternate chain with KeyHelp to get a few more months of compatibility. Or, using a different CA if you need support for such old devices for the long term.

Or, is it possible for you to install a different ACME Client which supports choosing the alternate chain? Or one which supports a different CA?

I looked at KeyWeb's docs and did not see much info. Which is why you will need to ask them. You could ask them to look at this thread and post their own questions if they choose to proceed.

Please note that using the now alternate chain will only temporarily fix your problem with Android 7.0 or older. Please use the borrowed time for a more permanent fix (upgrade the OS, redistribute the ISRG Root X1 root to all devices et c.)

If you need older devices to access your service my suggestion would be to change certificate authority to one with a trusted root that's available on your target devices. All trusted roots will eventually expire (e.g. some have another 10yrs to go) so devices that can't update their trusted root certificate store will eventually fail to use any publicly trusted certificate.

thanks for all your help guys!
we switched to another CA for the time beeing to get the service up and running again.
maybe its time to get rid of those "legacy" devices in the near future

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.