Gmail app cert not trusted

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: inverlandpanama.com

I get GMAIL app on android prompting certificate not trusted

Any help will be appreciated

Cheers!

Certificate not trusted
Subject: [inverlandpanama.com](http://inverlandpanama.com/)
Issuer: R3
Valid from: Apr 26, 2023
Expires on: Jul 25, 2023
Current date: Apr 28, 2023
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIFRTCCBC2gAwIBAgISAyOoH/yAUJzH6FLclyYPDa2AMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV
BAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMzA0MjYxNDA0
NDNaFw0yMzA3MjUxNDA0NDJaMB4xHDAaBgNVBAMTE2ludmVybGFuZHBhbmFtYS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhK73ibksbXc/M3YlQfI1AXdX8C3QbRKpXqoPvKivx
JP6//89sMdCRly2sRu8YDLP6qrUPJOWYI4eBEWWnS8viBA2Tu0g1UcEtr5OhNJTv11vjXBX/w9+T
fGIgmAIwUuI8Btt/Azv+ogsbF8nFMv4Hm1w3iVTVL+gLgykjlM2+QwF4q4sLXvZvXaghCDWew/oO
9iC5AM1aqN1HMvxvs6AEW+eo0JdVcCHQ0RzdOKLKiw/em+iWhR4I1GaJh//fCiHVBE4/EUSvdMOG
WR23netu7KFkWTUTH3WZQsyojDs6NdXHDIb41CJv4rW54leFLRRmoufBhgt96odeJ+yrs4LRAgMB
AAGjggJnMIICYzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNfEhikkCgEujm4ZrH8uNAU6MnZAMB8GA1UdIwQYMBaA
FBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMDcGA1Ud
EQQwMC6CE2ludmVybGFuZHBhbmFtYS5jb22CF3d3dy5pbnZlcmxhbmRwYW5hbWEuY29tMEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAtz77JN+cTbp18jnFulj0
bF38Qs96nzXEnh0JgSXttJkAAAGHvhhnfQAABAMARjBEAiB+7RK93hPXaG/hNpF7YnF/hL/H1zhY
djkEx9p6i5BOwQIgCOBiXhwU8zf8tHXHswC+UAyJ74ZQM1jk2GxxIrcuA/4AdwB6MoxU2LcttiDq
OOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYe+GGePAAAEAwBIMEYCIQDeGdYQdV6FDsQd3yo4jCfL
H290gC0f9g9YbWEiAxJOQAIhAIFQ8oFHJWfXuOUnlBg+7snJHj18ilJEOD9tcVaOH+ZRMA0GCSqG
SIb3DQEBCwUAA4IBAQAS0j2MaUAxlNjP6UHWCZqdrRNRs3yeGlKqXYsce1Rct499274g5Q3ON/4f
JZi2UYg0mnDr6cXvZvPbKvs7hyOvxFDBBw/Z5SbVprkUMXIPW1ZMpxd+/jn8NUGE3/VtvdpvIJw4
iRZ2seaG0WwspVa7wjPl0JoIruW4oI42DXCR+les4XSaC8gJRWsMxKBPQUwbZCH5HEsc3EryQs21
3+h4GluikkqgzbGemCnL6P01NCpMhHq7wJLjv+y1h+B4CxHsTQ4LGJnuIXs1TaZYokHxayyP98qr
/VuUbTLVW6pQr1opQwkoW+z+fPfN/osRO9f6JIy8MfjOGtXsk7JL/3bH
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE
BhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQD
EwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAwWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXI
o9cPR5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdxsxPnHKzh
m+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8ZutmNHz6a4uPVymZ+DAXXbpy
b/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxgZ3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3
P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIB
BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB
/wQIMAYBAf8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaAFHm0
WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gx
LmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRwOi8veDEuYy5sZW5jci5vcmcvMCIG
A1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQBgt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5H
PqP3hUSFvNVneLKYY611TR6WPTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8
kc607TkC53wlikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BImlJNXoB1lBMEK
Iq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4avAuvDszue5L3sz85K+EC4Y/
wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4
jnkDrQoxB3UqQ9hVl3LEKQ73xF1OyK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJo
i5Lc5da149p90IdshCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxP
Fin+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6ZvMldlTTKB
3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqXnLRbwHOoq7hHwg==
-----END CERTIFICATE-----

I ran this command:

It produced this output:

My web server is (include version): * Litespeed: 6.0.12

The operating system my web server runs on is (include version): Linux version 2.6.32-954.3.5.lve1.4.87.el6.x86_64 (mockbuild@imagebuilder.corp.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Fri Jan 28 05:34:34 EST 2022

My hosting provider, if applicable, is: namecheap (shared)

I can login to a root shell on my machine (yes or no, or I don't know): using cpanel access to shell commands

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): using cpanel access to shell commands

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol
v3.0.5

What version of Android are you running? Because that cert is using the "short chain" from Let's Encrypt. Older versions of Android require the "long chain" which is the default.

Also, what port is your GMAIL app connecting to? There are several different ports that mail apps can use.

At least HTTPS requests to the domain name validate correctly with a modern system. See this SSL Checker site for example (link here)

What version of Android are you running? Because that cert is using the "short chain" from Let's Encrypt. Older versions of Android require the "long chain" which is the default

Android 6.0.1 under phone settings
GMAIL 2023.04.02.523594694 version

Also, what port is your GMAIL app connecting to? There are several different ports that mail apps can use.

imap email on shared namecheap server is showing 993/465 (ssl/tls) under app settings

.

https://knowledgebase.geolantis.com/HOW%20TO/how-to-install-root-certificate-on-android-6-0-device/

not sure if gmail app pins trust store or not but try this

How-to install a root certificate on Android 6.0 devices? – Geolantis.360 Knowledgebase

not sure if gmail app pins trust store or not but try this

i wasn't aware that it was needed to install under android for this kind of certificate issues

thxs!

i'll try and will return with some feedback

Can you change your server to use the default "long chain" instead? Android below 7.1.1 should trust the long chain without mods to Android.

You must have done something to use the "short chain" because it is not the default. How did you get the Let's Encrypt cert?

Also see this about older Android systems:

shared namecheap server

so no he isn't server's admin

Doesn't namecheap offer several tiers of shared hosting? Some with full control?

OR
Switch free CAs

You must have done something to use the "short chain" because it is not the default. How did you get the Let's Encrypt cert?

acme.sh via ssh jailed

Can you change your server to use the default "long chain" instead? Android below 7.1.1 should trust the long chain without mods to Android.

how?

IdenTrust switch is on and listed under settings

Did you use either of these options with acme.sh when you requested the cert? Or, did you manually modify the chain?

  --set-default-chain        Set the default preferred chain for a CA.
  --preferred-chain <chain>  If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

Did you use either of these options with acme.sh when you requested the cert? Or, did you manually modify the chain?

  --set-default-chain        Set the default preferred chain for a CA.
  --preferred-chain <chain>  If the CA offers multiple certificate chains, prefer the chain with an issuer matching this Subject Common Name.

didn't use these modifiers.... sorry but I'm noob to letsencrypt

will return with some feedback.... thxs!

I ran this in terminal

acme.sh --set-default-chain  --preferred-chain isrg  --server letsencrypt
acme.sh  --renew-all --force

but my gmail app and chrome in android are still prompting invalid certificate

this is in chrome under android: NET::ERR_CERT_AUTHORITY_INVALID

cheers!

That is what is causing the problem (I believe). You are requesting the "short chain" but your very old Android version needs the default "long chain"

I don't know acme.sh well enough to advise how to remove that setting. But, get rid of the override for the default chain and try again

so i should run it without: --set-default-chain?

Yes. In fact, you have to unset your override of the default chain.

I never told you to set the default chain. I asked whether you had because you are not getting the Let's Encrypt default chain so you must have been overriding that.

ok.... thxs.... I will try to find out how to set the long chain as default

OR
Try getting a cert from another free CA.

do you know how do i set the "long chain" as default?

You could try

acme.sh --set-default-chain  --preferred-chain DST  --server letsencrypt

Better would be to unset it so in the (long) future you always get the Let's Encrypt default rather than forcing it to be one thing or another.

On my system I believe I could remove the appropriate line from the ca.conf file because that's where this setting went. But, I am not an acme.sh expert so not sure if that is safe to do.

~/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory]> ls -l
total 12
-rw-rw-r-- 1 ubuntu ubuntu  544 Oct 25  2022 account.json
-rw------- 1 ubuntu ubuntu 1679 Oct 25  2022 account.key
-rw-rw-r-- 1 ubuntu ubuntu  196 May  1 20:32 ca.conf

cat ca.conf

CA_EMAIL='example@example.com'
ACCOUNT_URL='https://acme-v02.api.letsencrypt.org/acme/acct/[redacted]'
CA_KEY_HASH='[redacted]'
DEFAULT_PREFERRED_CHAIN='ISRG'

You could ask this about this on the acme.sh github