No trusted error for Android 7.1.1 below

meteoguzhan · August 11, 2022, 11:10am

Hello,
Android 7.1.1 and above does not get the no trusted RSA public key error, while versions below Android 7.1.1 no trusted RSA public key found for 'subdomain.domain.com' error.

Command for certificate information:
openssl x509 -in cert.pem -text
Output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            04:d6:41:43:02:..................
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Aug 11 09:17:20 2022 GMT
            Not After : Nov  9 09:17:19 2022 GMT
        Subject: CN = subdomain.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:b7:6b:e6:fe:50:.......................
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                8F:2B:8D:1C:0D:84:DA:......................
            X509v3 Authority Key Identifier: 
                14:2E:B3:17:B7:58:56:....................
            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/
            X509v3 Subject Alternative Name: 
                DNS:subdomain.domain.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DF:A5:5E:.....................
                    Timestamp : Aug 11 10:17:20.822 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:58:36..........................
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 29:79:BE:F0:9E:39....
                    Timestamp : Aug 11 10:17:21.309 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:7D:BD:38:CF:89:49:0F:3D:E9:BF:7E:78:
                                8A:51:E5:DE....
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        39:f4:89:91:7d:0c:61:aa:cd:......................
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISBNZ........................
-----END CERTIFICATE-----

Command to create the certificate:
certbot certonly --non-interactive --agree-tos --standalone --preferred-challenges http --email "mail@mail.com" -d "subdomain.domain.com"

The error I get when I run it under Android 7.1.1.
Error output:

received end entity cert "CN=subdomain.domain.com"
received issuer cert "C=US, O=Let's Encrypt, CN=R3"
using certificate "CN=subdomain.domain.com"
using untrusted intermediate certificate "C=US, O=Let's Encrypt, CN=R3"
checking certificate status of "CN=subdomain.domain.com"
requesting ocsp status from 'http://r3.o.lencr.org' ...
failed to fetch from 'http://r3.o.lencr.org'
ocsp request to http://r3.o.lencr.org failed
ocsp check failed, fallback to crl
certificate status is not available
no issuer certificate found for "C=US, O=Let's Encrypt, CN=R3"
issuer is "C=US, O=Internet Security Research Group, CN=ISRG Root X1"
no trusted RSA public key found for 'subdomain.domain.com'

MikeMcQ · August 11, 2022, 12:50pm

Welcome @meteoguzhan

If you provide your actual domain name we could say for sure.

But, your server is likely sending out the "short chain" and not the default "long chain" needed for older Android compatibility.

See this topic for more details

If you need help configuring your acme client and/or server for this please complete the questions from the form as best you can

====================================

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

system · September 10, 2022, 12:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Android 7 with lets encrypt Help	10	2340	September 15, 2020
Gmail app cert not trusted Help	55	2168	June 14, 2023
Android APPS claiming lets crypt unsecure Help	6	994	January 18, 2022
Android 7.0 can't establish ssl connection Help	10	7139	June 18, 2021
Android phone problems Help	4	2096	July 3, 2020

No trusted error for Android 7.1.1 below

Related topics