Invalid cert when accessing from Android 6

My domain is:

Hey all,

First of all, huge props to all the people who have been helping the rest of us navigate this recent expiry issue, you guys are incredible.

Unfortunately, after the Root X3 certificates expired on the 30th, users accessing my site on Android 6 have reported getting certificate error messages. I did some trawling around this forum looking for a solution, but didn't have much luck. I have attempted to troubleshoot this by re-installing my certificates with certbot with the --preferred-chain "DST Root CA X3" flag, but had no success with that. The website is fully accessible for all of my other users, to my knowledge.

Grateful to anyone who has suggestions about how I can proceed, thank you.

1 Like

Hello @rexamillion,

The first thing I would check is the reason why your Apache web server is not sending the intermediate certs, only the leaf certificate:

$ echo | openssl s_client -connect -servername 2>/dev/null | grep -E -A1 '^\ [0-9]?\ s:'
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3

And in your case, you used --preferred-chain "DST Root CA X3" (not needed because this is the default chain) and the output of above command should look like:

 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

So, I would recheck the Apache conf because the part where you define the paths to your cert and key should look like this:

SSLCertificateFile    /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

or if you are using Apache version previous to 2.4.8 like this:

SSLCertificateFile    /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Hope this helps.



Hi @sahsanu !

Thanks for the speedy reply and great help. Turns out I was serving cert.pem instead of fullchain.pem and swapping these two corrected the issue.

Thanks again!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.