first sorry for my bad english, but i try to give my best:
I am a not technical person who have a wordpress blog, my pronunciation is therefore very amateurish .
Some Infos:
My hoster use Letsencrypt Certifcates.
I have from different developers an iOS App and Android App for my reading users.
Problem:
Last week (30.09.) Android App doesn´t work (from all Android Versions), i was in panic (for 3 people including me, blog is the main job) and ask my provider/hoster about this problem, because the android app developer had no ideas. The hoster delete than the old certifcate (they say "bridge certifcate") and: Android App works again, but until from 7.1.1. upwards.
So: now at the moment Android under 7.1.1. doesnt work. The app cannot establish a connection and the browser can only be used with Firefox, all other browsers get: NET::ERR_CERT_AUTHORITY_INVALID
My hoster say, there is no solution for the problem. Is it so? Have anyone any idea what we can do, that all Android Users over 2.3 can use us via browser and app again?
About 3% of my users still use Android 7.1 or lower. That's not a lot, but I don't want to lose these users either.
There may be one, or more, problem(s) with your server.
It might not be serving the right chain (or any chain at all) Please provide an FQDN to test with.
Even if we fix the Android access issue, you might still have an older iOS access issue.
If so, it might be best for you to switch to another free ACME friendly CA.
To service the older Android devices, you can either:
use the longer chain (through "DST Root CA X3 (expired)"
Note: this may cause problems with older iOS systems and such...
[and since it is not the default chain - you must have switched to it for some reason]
switch to another ACME protocol friendly (and free) CA
Here is the current chain being served:
[leaf > R3 > X1]
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dealgott.de
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = dealgott.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
do you know which iOS Systems? I haven't changed anything. According to his statement, only the provider deleted the old certificate (bridge). Does that mean: I don't have a standard certificate and should talk to the provider again? and can i test your chain and, in an emergency, undo it without any problems? or the devices then store the chain in the cache
@Funksta
A1:
iOS <10.12
What was deleted was part of the chain.
You have a "standard" cert (there is only one type offered by LE) - it is served with the shorter chain now.
If you have access to whichever chain file is being served, yes you can switch between them.
[chain cache will happen from all LE sites not just yours]
