Old Android and other SO security warning (Insecure connection )

Hello,
I'm looking for some light with some of our clients. The typical problem, Unsecure site. My hosting provider says everything is ok, and that this has to be due to old browsers or old Operating systems. I need to know if this a something the client needts to do or if the server is misconfigured.
Thank you in advance.
Regards!
Florencia

My domain is:
banfieldlocura.com.ar
I ran this command:
$ openssl s_client -connect banfieldlocura.com.ar:443 -servername banfieldlocura.com.ar -showcerts
It produced this output:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = banfieldlocura.com.ar
verify return:1
---
Certificate chain
 0 s:CN = banfieldlocura.com.ar
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIGaTCCBVGgAwIBAgISAwMJFzfZ/J80nEoU9a+K6wjHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjAxMjgxMzA2NTRaFw0yMjA0MjgxMzA2NTNaMCAxHjAcBgNVBAMT
FWJhbmZpZWxkbG9jdXJhLmNvbS5hcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAJhQM4CHez+HKjI/c30EaRUjt3VXvOSgzD0QQWLxksPNSKZsrLku4Jdh
YCb+g0FWqEbtEQySHcR5SBhMIVXM7YV2mqcQPI7zNdkNEZhPOVgDGDucLdy77gm2
ZtZOcYjEUdmoHqKNJ2i3KSX9eJ4oJzWGyG9RycKOWDUgXOp4iw7cYS4LaDnSn4BW
+Mplqsvslj24pWYPWS91/n8p9NZKw2WyXwlIJe5grpuEgaj7/oDXNkgyX7EFIQbC
xRq0Kiiv+9bDLBHOrqHMMnUcESSUELkHoSEAtZK6wTozvbwZVco5onpdxK14x1UA
DTR44uuY8objrudxfuad+61AECzQprGkwgX3KEwekA0l8RFeOP0uzlCyWNyBATIG
ix2rFAqawTOOvKt4rf9Y6M1YiHUKIZnLz1ygNkypt+n5VqiPqL0Dpx24uwxEipaN
hx1tfBypkH3sxXw7lWGDBNXJlaNKn1mtqGR74RlnfY9c9kY8VyOYI/XNdWuzp/Wa
73laekkgPpu+OVx064d2423CGt4RncUkSkhJIlSPUq7hSOVonT1FgsMy9UAL0VGF
A3JUJ2sPI3j46ZpdmtIG1zKccM24MeL+AVjFaQq6GSQa4q1z/Da9e0banYIh4uDk
XynRI26aFZ8NdHiQGmJVyk3Mu9v5eUjF7dHMgygBKltZiqQoFoEJAgMBAAGjggKJ
MIIChTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPtLcG1IPL2ZrpYUlyF4xx2517ZN
MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkw
RzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAC
hhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMFcGA1UdEQRQME6CFWJhbmZpZWxkbG9j
dXJhLmNvbS5hcoIabWFpbC5iYW5maWVsZGxvY3VyYS5jb20uYXKCGXd3dy5iYW5m
aWVsZGxvY3VyYS5jb20uYXIwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC
3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcw
ggEGBgorBgEEAdZ5AgQCBIH3BIH0APIAdwDfpV6raIJPH2yt7rhfTj5a6s2iEqRq
Xo47EsAgRFwqcwAAAX6hAq1OAAAEAwBIMEYCIQC9NPTUk46ye3Joy7f2XwAUExr2
PnbziutXjfFK3gRZqgIhAOp8cBDvzvU9PWVGGfJMFyeH+prhH2f1ixu33xfSbFKb
AHcAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF+oQKtQwAABAMA
SDBGAiEAjobsjjk9vHmuXMbMEqsFWxT0aDpO0VnuN/TrBPd1M0QCIQDVrGHOVLGW
dASAHGiqqPeamO5YKvHi4lnq3n4cGZDVijANBgkqhkiG9w0BAQsFAAOCAQEADoM4
W1Wn6mncYy6cF96QMMsgYGA+/tUU0VtRSC3IlACWUO22TqDADI2TgdB84NwulNjW
lSOcTJp0RaFles6ajf9tr5MbhSpDm3e3EkN9ydirpy0MCbU9kZMx2uO5bowKQNLE
wOrvk8sFvZPcPasvNN5TnhXzMthMoXe4ROUp367F3NNJSDMyjLZ+FMwxgzEPIiys
CpX60uptWR2Z/8aC9gK6G1q69c6Qe6fIogQXSWzrcT4huo08NlckMkCAKYfegah2
WTBdODM2wqP9GtPsZZqG+CRoiD/0Uz8P/s8RHNkoLVDbqUBVm0V7TEJJ9PpmqFqu
Sq24W5gO/yma2YUoNw==
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN = banfieldlocura.com.ar

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3916 bytes and written 439 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 33144220BA575C1BD1E8FCE58182DC08F725424025AB01BEE83E7BE8A8B0FCD3
    Session-ID-ctx:
    Master-Key: 0378DFE78091001C9389440A5563F4942102D3AF52BDB29963EAF06157A2CD6613BFBD7175F463BC574075497945413E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 67 29 d2 41 37 8c fc 51-bd 5a 16 39 97 9d 27 53   g).A7..Q.Z.9..'S
    0010 - a0 97 e6 5c b8 67 89 1e-d5 f7 3c 1c 37 5a 8f ea   ...\.g....<.7Z..
    0020 - 9a 74 e9 89 3d 8d e5 ea-16 b6 f6 34 69 b7 10 37   .t..=......4i..7
    0030 - d9 6e 40 5a 2d 89 44 da-35 49 b0 3e c8 88 26 8a   .n@Z-.D.5I.>..&.
    0040 - f8 77 16 81 d8 b9 80 74-d6 2c e9 52 7a fc f8 4f   .w.....t.,.Rz..O
    0050 - 1d d2 cc d2 8e 55 4b 66-b4 1f 4b cd f5 7e ce f0   .....UKf..K..~..
    0060 - 29 bd af 78 ce 90 b2 0e-b8 99 9f cd ea 9e 3b 5e   )..x..........;^
    0070 - 9c 18 dc 1a 2e 04 be b3-e1 49 32 02 bd dd 66 8b   .........I2...f.
    0080 - 24 5e c9 c8 d2 c6 5c 39-18 49 0f 05 a3 62 a1 ed   $^....\9.I...b..
    0090 - 97 f3 db 56 92 ad ea f6-ef ec 9e a1 61 cc 06 80   ...V........a...
    00a0 - ba 46 e4 b3 7c 9c fe cd-c5 5e 43 1d 54 4f 16 d0   .F..|....^C.TO..
    00b0 - 6f 6c a7 63 e2 7d 16 27-59 ca 05 41 44 d9 92 b5   ol.c.}.'Y..AD...
    00c0 - 31 e2 a4 99 15 a7 15 e4-4c cd eb ed 87 c7 17 ba   1.......L.......

    Start Time: 1643381385
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

My web server is (include version):
Apache 2.4.51
Nginx 1.21.4

It is.

That is correct.

If the clients can be updated/upgraded, then that is best.
"Fixing" one single site won't "fix" this problem for them with the other 200M LE certs on the Internet.
["fixing" is a very loose term - there is really nothing to "fix" on the server (the root cert is >6.5 years old)]

That said, you could switch to using another free CA (with an older trusted root).
One that might be included in those very old browsers and operating systems.

Thank yoy very much!
I close this topic, really nice community.

Issues with Android pre-7.1.1 could be solved by using the "Android compatibility chain" which includes a cross-signed ISRG Root X1-signed-by-the-now-expired-DST Root CA X3 root certificate.

However, the Android compatible chain (often called the "long chain") can complicate things for other (older) clients. Note that Let's Encrypt believes older Android support weighs more than incompatibilities with other older clients, as Let's Encrypt chose to use the "long chain" by default. It seems your hosting provider has chosen to use the "short" chain, which does not include support for Android pre-7.1.1.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.