I'm currently checking for certificate compatibility with Android 7.0 devices.
Therefore I have concatenated the certificate with the 2 intermediate certificates in this order:
Domain cert
Intermediate R3 cert
Intermediate ISRG Root X1
Now the certificate chain on Android < 7.1 looks as expected: Domain -> R3 -> ISRG Root X1 -> DST Root CA X3
But checking the server with immuniweb.com or ssllabs.com shows:
"certificate chain in a wrong order"
I can confirm this by looking at openssl output: openssl s_client -host mail.csc-nord.de -port 443 -prexit -showcerts
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=mail.csc-nord.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
It seems like the R3 and Root X1 certificates are served in the wrong order?
Unfortunately I can't figure out how to correct this.
My domain is: mail.csc-nord.de
My web server is (include version): squid 4.15
The operating system my web server runs on is (include version): pfSense 2.5.2
I'm using the ACME package from pfsense which generated the R3 and Root X1 intermediate certs along with my domain cert.
The squid package in pfsense needs manually adding of intermediate certificates as this is not done automatically.
I had the old R3 intermediate added for the last years which worked without a problem.
But now the chain has to be 1 intermediate cert longer for Android 7 compatibility, right?
If you go to: SSL Server Test: mail.csc-nord.de (Powered by Qualys SSL Labs)
Then click on the + on the "Certificate Paths" line.
You will then be shown two trusted paths.
There is a download type link shown for each.
Each will contain the cert and the matching intermediates.
One of those trust paths should work with the older Android devices.
If neither of them do, then you may need to switch to one of the other FREE CA certs.
If you have access to the cert files, then just reorder it.
It is now in this order:
Certificate chain
0 s:/CN=mail.csc-nord.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
Change it to this order (0, 2, 1):
Certificate chain
0 s:/CN=mail.csc-nord.de
i:/C=US/O=Let's Encrypt/CN=R3
2 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
1 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
[take the middle cert and move it to last - or last and move it to the middle]
If you are looking for a more automated way to do this...
I would contact pfSense (if they provided the intermediates in the wrong order).
If you put the pieces together, then just change the ordering on the build step.