New TLS certificate: Kotlin/webview just displays a blank page

I've got new TLS certificate (letsencrypt) - works at the Firefox BUT: my mobile app (Kotlin) shows only blank page. I don't know why. I searched at the internet but I cannot find the solution. My fix for some days: using old certificate.

What I must to do? This is my bash command for create certificate: letsencrypt certonly --force-interactive --renew-by-default --webroot --webroot-path /var/www -d $domain

...
I'm trying and trying: In Webview does not work all certificates created by 29 Jun (I have since then new lets-encrypt-r3 certificate).

LE start to multiple issuer to sign leaf certificate, you should (as you already did) using certificates given intermideate certificate

2 Likes

What is "intermideate certificate" and where can I find it? I must search my original - I don't see it somewhere. But: why?

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


Please don't use this option. The usage for this option is very limited.

Also, Certbot was once called "letsencrypt" as an ACME client, but that was back in 2016 I believe.. I hope you're not still running such an ancient version of Certbot?

You already did right thing and pointed right file.

2 Likes

certbot 2.1.0
My web server is: Apache 2.4.61
The operating system my web server runs on is: Debian 12
My hosting provider, if applicable, is: me at my server.
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no.

--renew-by-default
deleted

Please answer all the questions, especially the mandatory one at the top.

Also, while reverting to the old, working certificate helps your website work in Kotlin/webview, it would make it harder to debug the issue for us. Can you reinstate the new cert/non-working situation, or is that a no-go due to uptime requirements?

1 Like

Sorry. My domain is: https://asteroid.vsevjednom.cz/ - and this URL use my app too.

1 Like

I'm still using old certificate because I want my app to work. But I can do some new certificate for some URL. I tried it - it now works too in my app.

Huh, so your test site with a brand new cert works in the app? But your main asteroid subdomain didn't/doesn't? That's weird..

1 Like

No... Site with new cert works only at the Firefox (And in Opera, Chrome...). I tried many my sites.

But you mentioned something "now works too in my app". What was that exactly?

And at which URL do you have the new (test) certificate set up?

1 Like

My app: https://play.google.com/store/apps/details?id=asteroid.vsevjednom.cz
Too much of people using my app - so I can't to do some tests.

Web which not works in my app (tested at Android studio) is for example this: sudoku.vsevjednom.cz

That host is sending a hardcoded and incorrect certificate chain:

Certificate chain
 0 s:CN = sudoku.vsevjednom.cz
   i:C = US, O = Let's Encrypt, CN = E6
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Aug  2 17:47:11 2024 GMT; NotAfter: Oct 31 17:47:10 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT

Notice the end leaf cert is signed by E6, but your server is sending a hardcoded intermediate certificate R3, thus breaking the chain.

Please make sure your webserver is using the chain as provided with the certificate by the ACME server. Don't hardcode it to a specific intermediate.

3 Likes

You're right.
I downloaded E6 here: Chains of Trust - Let's Encrypt
And I changed setting of sudoku.vsevjednom.cz. Is it better? This is maybe my problem.

URL https://sudoku.vsevjednom.cz/ still not works in my app. Is everything ok?

The chain looks OK now, but you shouldn't have needed to download the intermediate from the chains of trust page. It was provided by Certbot when you got the certificate.

3 Likes

WOW! WOW! WOW!
SSLCertificateChainFile /etc/letsencrypt/live/sudoku.vsevjednom.cz/chain.pem
IT WORKS!
But asteroid.vsevjednom.cz still not works :(.
Setting of this URL is changed. Solution will be fast I hope.

There's E5 at asteroid.vsevjednom.cz :(. Maybe random.

Yes, the intermediates are chosen at random. Deliberately. So users (like you :wink:) will stop hardcoding intermediate certificates, but always use the one provided together with the cert.

Note that your Apache version doesn't require SSLCertificateChainFile. Providing SSLCertificateFile with fullchain.pem should suffice.

3 Likes