NET:: ERR_CERT_AUTHORITY_INVALID on older Android devices

jukka.ss · November 1, 2021, 10:34am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sawu.fi

I ran this command:

It produced this output:

My web server is (include version): Apache 2.4.51

The operating system my web server runs on is (include version): linux 2.6.32-754.35.1.el6.x86_64

My hosting provider, if applicable, is: webbinen.net

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 86.0 (build 40)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Browsers on older Android devices (tested on 5 and 6) are giving NET:: ERR_CERT_AUTHORITY_INVALID
Also when trying to open https connection from our app, we get:
Failed to validate the certificate chain, error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
handshake failed; returned -1, SSL error code 1, net_error -202

Is there anything that can be done to fix this on our or host's end to fix this?

bruncsak · November 1, 2021, 11:08am

The site is providing the non old Android (Androld) compatible signing certificate chain:

$ openssl s_client -connect sawu.fi:443 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.sawu.fi
verify return:1
---
Certificate chain
 0 s:CN = www.sawu.fi
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

Check for option in cpanel not to use the alternate signing certificate chain. Please be aware, even if it is there, its use may break some other set of web clients.

jukka.ss · November 2, 2021, 6:20am

We do not have that option

bruncsak · November 2, 2021, 7:33am

Referring to this discussion thread, you may want to contact your hosting provider asking for that default signing chain option.

jukka.ss · November 2, 2021, 9:49am

That option is not available

bruncsak · November 2, 2021, 9:52am

Is that the answer of your hosting provider webbinen.net ?

jukka.ss · November 2, 2021, 10:39am

Yes, that's their answer

bruncsak · November 2, 2021, 10:46am

Well, then I cannot help much, sorry. However, your hosting company must be professional, so they can fix the cPanel 86.0 (build 40) code (upgrade before, if available) they are providing, or contact its software maintainer asking to implement that option.

system · December 2, 2021, 10:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.