Let's Encrypt Authority X3 missing on Android


#1

As mentioned in the topic the CA certs are missing on Android. Even on latest (pie).
this is annoying when you try to connect K9-Mail to your mailserver which is using ‘Let’s Encrypt’ and getting a popup about ‘invalid certificate’.
When will the CA certs be part of Android ?


#2

They are part of Android, but it doesn’t actually matter whether they are or not.

Most/all servers with Let’s Encrypt are using the intermediates cross-signed by DST Root CA X3: https://letsencrypt.org/certificates/ which is an old root already present on all systems.

What’s really going on in your situation, is probably that you have misconfigured the intermediate.

If you can tell us your domain name, we can check, or you can try something like openssl s_client.


#3

They are not ! If they were I wouldn’t get that message …
See: http://www.computersalat.de/paste/Screenshot_20181112-025441_K-9_Mail.png


#4

For reference, you are sending the root in your chain, which is useless/redundant. I’m not sure if it is causing your issue or not, but it’s possible. You only need to send the first two.

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = c00.wittmer.mx
verify return:1
CONNECTED(00000005)
---
Certificate chain
0 s:CN = c00.wittmer.mx
  i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHXTCCBkWgAwIBAgISA51RSutHggEI+jsen2wO8CrsMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MjExODA5MDFaFw0x
ODEyMjAxODA5MDFaMBkxFzAVBgNVBAMTDmMwMC53aXR0bWVyLm14MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtGA+oojriml8U9uJPUh7BHgx5coQslRL
9wrqmhNy/lb8D47UJBOitZN0vHJZvMYq92upsb0Augo3tRYphB0lY3bD9R48VyET
BBqrXd63Y249j+yEJphpOHMlx4T4H86d5MPnPJaAW2qDY9U+OBZA9zA3nq2lIlFV
UBgvDFMnAxK5rUomGLbQS7RFJ9OaD4A4QLv+lq4WvlgYaNgXgj+lDCJ4VmMWubXe
zz7oX7HSsO/5oWJuyqTiGmztUgJRFwMcAl9AnHQT4pCM8gW3FhN35uzb3YfETcKp
hk+fX0NljhO1Bl4c8AdpYCfO+kAaABC+h6kw/ZV5jTkCl/AfG7+jjJvmHNQU24dt
bM6VNXSEZ7XSma0jX49xiWiTSpgpuApx2wj9v+WupsPvgkwLmSHCR0bPNWPOl6RV
Q81xT//ZS664rJtLP7FkApqPkDDvUxY9qmCck7TZQQdmFw9XUwe0QdIVPdTaDdFN
tW/Rd59LhuN0l90ZkErkuDS4DfCVgJGaVnCO1Ze4KxXnDmMWc3ZtdcMvN9PED9Ew
lkjTLe5yMGPtqzP2urCxOCPAoPHEfeGEePE2VLk4QLUFNDsIRLB9tE+5fN6bC+Qs
LzR5SMIfmtEREAzANqhPDYMjyDDfnWusjjf1Uu9Wga/Bhcm8i+vki8Jtg/nAqJc3
c6hly425z9cCAwEAAaOCA2wwggNoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUraEq
JospguAYV0JZNGdshcZeRcswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo
7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQt
eDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQt
eDMubGV0c2VuY3J5cHQub3JnLzBuBgNVHREEZzBlghVhdXRvY29uZmlnLndpdHRt
ZXIubXiCDmMwMC53aXR0bWVyLm14gg9pbWFwLndpdHRtZXIubXiCD3NtdHAud2l0
dG1lci5teIIKd2l0dG1lci5teIIOd3d3LndpdHRtZXIubXgwgf4GA1UdIASB9jCB
8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENl
cnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFy
dGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRl
IFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0
b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AMEWSuCnctLUOS3ICsEHcNTw
xJvemRpIQMH6B1Fk9jNgAAABZf2JCSwAAAQDAEgwRgIhAOB8PcHZCwokJb4cxxo2
M+jt2AUcDAu6EvZajomOx1JiAiEAsnaoPk8us+7Lq3tEJ+bDUUWZIg2TLBT0O9lT
u4C4qWwAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0eAAAAWX9iQsx
AAAEAwBHMEUCIQC3cuvwy4Y7xlJNhPV7Ge4BIFpZJ45u1BG3HCGFXrNDIQIgEoon
Jvz+6ahyY3y3/9MYA2L3LO809gxFbEsW4OYcSTwwDQYJKoZIhvcNAQELBQADggEB
AJSIoGTm6L1XDHdmb5lgeCtRlmFco5nKTqCY4HJQs6GQYHluFYKrUzu3c74OjoiJ
45HP38wEiq2xmxWDT1tA/s9LFDkmskxJhl2T1Yj4Ev78nHYLp5U0pmD3980Y0Dr7
04c3cYDtP/UBAfvfiAtdGNwMdJmrmUnG4kose7w+hM1LVp5l2uMzSsv0HFG/nVE5
JHh8zVRvMz3LD+wwf0e0DfpnGceTWgpbazS/g13FUC9D4A65+03hLUaQC3iTXKNN
KjyqJgoTsCj3L3xBx+6TlRWT9SEYET2oG8F3VVBgFefpEbCF7tYkiaIxDzhE+B1x
ZQfv95Mj7BVD41XYkPgF2T8=
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
  i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
  i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
---
Server certificate
subject=CN = c00.wittmer.mx

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4899 bytes and written 454 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 342CF8BB49EB41546818D93A199617F18C4998AC6A352F716397A8004ADA9C90
    Session-ID-ctx: 
    Master-Key: E9C227A966F2E60759620BA494F2F24731BDFDD2CFD579567BD8237235CB2D0D31E40151F4B59290080A56ADC64A9611
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5c 69 1e 9e 40 df e4 02-93 03 ad d8 bf 05 22 5f   \i..@........."_
    0010 - fe f8 44 f3 8c 31 b8 2d-14 26 4e ab 13 26 59 d5   ..D..1.-.&N..&Y.
    0020 - 67 b1 95 dd c1 d4 11 3d-ee 31 28 72 bf a7 69 8a   g......=.1(r..i.
    0030 - d1 eb 58 75 39 ce 71 1c-a7 54 66 e1 6b ba f2 a8   ..Xu9.q..Tf.k...
    0040 - 67 29 00 50 ea cb 83 96-e0 e7 b6 75 ef 1d ba 7d   g).P.......u...}
    0050 - 85 ec 0d 2d 86 d9 58 e0-28 61 5a 22 64 87 20 d4   ...-..X.(aZ"d. .
    0060 - 71 db e7 82 37 dc 28 87-cd 12 d3 ee ee 8f 63 24   q...7.(.......c$
    0070 - cb 2d f4 3d cb da cc 7f-54 2e 11 f1 1a 8d df fa   .-.=....T.......
    0080 - c9 d8 f6 ea 3e 12 c5 f9-dd 28 57 8d 13 55 38 18   ....>....(W..U8.
    0090 - 56 35 a6 88 0f 46 3b b5-9f f0 56 3c bd 0e 21 15   V5...F;...V<..!.
    00a0 - d4 de f4 e5 e0 27 d2 64-5e c0 72 5d 0f d2 95 f8   .....'.d^.r]....
    00b0 - 73 5a 9e d0 50 e2 da 23-c1 a4 f3 4a a2 3a 50 aa   sZ..P..#...J.:P.

    Start Time: 1541989326
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
220 c00.wittmer.mx ESMTP

As for your error, could you tell me if visiting https://letsencrypt.org in your Android browser gives you an error as well?


#5

Some more problems with your server:

On port 465 (SMTPS), you are sending the leaf, intermediate AND root (bad because root is redundant).

On port 993 (IMAPS) you are sending only the leaf certificate (bad because missing the intermediate).

The latter issue may definitely cause the error you got.

Depending which port you’re getting problems on, you need to make adjustments to your certificate chain, to send only leaf+intermediate.

And all of your TLS ports should be sending the same chain.


#6

how did you exactly check TLS ports ?
So if I understand you right I should send the ‘fullchain.pem’ ?


#7

Yes! fullchain.pem is usually the correct choice.

Checking cert chain can be done with e.g.

openssl s_client -connect c00.wittmer.mx:993 -servername c00.wittmer.mx -showcerts

#8

Thank you …
IMAP should be fixed now … K9 is not complaining anymore.
SMTP (postfix) is configured to use ‘cert.pem’. No idea so far why postfix is sending ‘all’.
HTTP is sending ‘fullchain.pem’ …


#9

Most clients usually tolerate/ignore irrelevant certificates (at least, all browsers do), so it’s not the end of the world.

Happy to hear K9 stopped complaining.