Missing Intermediate Certificate Means SmartPhones Don't Trust Site


#1

Hello,

First of all, your project is very interesting.

Creating a certificate has been successful after some little difficulties, the site is now online.
I have used the instruction and the corresponding script:
letsencrypt-nosudo

In doing so, I have noticed that some smartphones (Android and iPhone 4 S iOS 7) have problems with the certificate.
I get the following message on the Android (in German, I try to translate):

“(The site) is not trustful!
You try to get to www.hn-websolutions.com, but the server uses a certificate that originates from a person who is not trusted by the operating system of the computer. A possible reason is that the server has created own security information which is not trusted as identity, or that a hacker tries to catch your communication.
Do not go on if you get this warning on this website for the first time.”

This is an error message that means that the certificate is not to be trusted.

On the iPhone, I got a message, that the identity of the server can not be verified.

On the desktop, there are no problems. Only on the smartphone.

The domain is: www.hn-websolutions.com

Thank you very much in advance!


How to use the certificate for Tomcat
#2

Your intermediate chain is missing. If you configured Apache manually, you need to add something like

SSLCertificateChainFile /etc/letsencrypt/live/www.hn-websolutions.com/chain.pem

I don’t know the specifics of nginx or other servers, but the principle is the same.


#3

According to SSL labs you forgot to add the certificate chain: https://www.ssllabs.com/ssltest/analyze.html?d=hn-websolutions.com&latest
Check this: https://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
You should add something like this to your SSL config: SSLCertificateChainFile /etc/letsencrypt/live/hn-websolutions.com/chain.pem


#4

In addition to @jmorahan’s post: check the results of your site @ SSLLabs

This gives you very handy information about the SSL-status of your webserver, although not everything should be interpreted as shown. (For example, they penalize 128 bits AES-GCM for being ‘just’ 128 bits, although this is safer than 256 bits AES…)


#5

thank you all the problem was the missing chain file.
now works all fine.


#6

thanks worked perfectly - joys of doing your own things sometimes …