Kindle Paperwhite Experimental Browser cert errors


#1

My understanding is that the Kindle “experimental browser” is known to be very limited. It works OK with sites like Google and Amazon, etc. Just for the hell of it, I tried it with my own blog (lauren.vortex.com) that has current Let’s Encrypt certs and is busy all day long with happy connections from around the world – no known problems. However, for the record a new PW 3 Kindle (firmware 5.8.11) gave a “can’t verify cert” (or words to that effect) error connecting to my blog – and then let me choose to connect anyway – so I assume it was a CA error of some sort. After that it established an https: connection fine. Just passing this along for whatever it’s worth. Thanks.


#2

Do you know if other sites using Let’s Encrypt work?

https://lauren.vortex.com/ has the certificate chain configured partly incorrectly:

https://www.ssllabs.com/ssltest/analyze.html?d=lauren.vortex.com&hideResults=on&latest

Instead of sending the site’s certificate and the Let’s Encrypt intermediate, it sends the site’s certificate twice and the Let’s Encrypt intermediate.

I’m not familiar with the Kindle browser in particular, but some stricter clients do reject that kind of issue.

How is the certificate configured in Apache? If it’s:

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

it should be changed to:

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

or:

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

#3

Hmm. Yes, the directives for all my sites are using “fullchain” not “chain” – amazing that after more than two years on Let’s Encrypt I’ve never heard a peep of issues, so it seems that the vast majority of browsers don’t care. I changed it to “chain” on another site that the Kindle hadn’t touched yet, and it worked without the error. I’ve now also changed it on lauren.vortex.com so if you check again it should be “correct” now – if it’s not please let me know! I’ll go ahead and change it across all sites. Thanks!


#4

Since I followed fairly standard configuration rules on those sites, perhaps it would be useful if Let’s Encrypt docs emphasized this point.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.