On Android 6.0.1 the Certificate is untrusted


#1

Hi,

on Android 6.0.1 the Android Apps, like Owncloud App or Google Chrome Browser says Certificate is untrusted. On Windows (PC) is the CERTIFICATE trusted


Importing LetsEncrypt into Java and Glassfish
New Name, New Home, le.sh is renamed to acme.sh
#2

Make sure you are serving the intermediate certificate (e.g. fullchain.pem). You can verify this with SSL Labs. It’s possible that the intermediate certificate was cached in your desktop browser because you previously visited a Let’s Encrypt-signed site, while you didn’t on your phone.

I can confirm that Let’s Encrypt is trusted on Android 6.0.1 (Nexus 5 and Nexus 6P with stock Android).


#3

In the vhost file I have the privkey.pem and the fullchain.pem is that right?


#4

Take a look at the following thread for a sample configuration for apache.
tl;dr: you need to use fullchain.pem with the SSLCertificateChainFile directive.


#5

Thanks, one PEM File was missing in the vhost file. Now it works fine.


#6

Negative. SSLCertificateChainFile corresponds with chain.pem, combined with SSLCertificateFile /path/to/cert.pem. In Apache version 2.4.8 SSLCertificateChainFile became obsolete and you can use fullchain.pem in combination with SSLCertificateFile. It all looks quite the same, but it isn’t :wink:


#7

Indeed, that would be the recommended way for Apache >= 2.4. 2.2 still has a huge market share, so without knowing the specifics of OPs stack, SSLCertificateChainFile would be more backwards compatible.


#8

Yes, in combination with chain.pem, not fullchain.pem :wink:


#9

Sorry, you’re right, although it seems to work either way (probably wasting some bandwidth in the initial handshake, unless apache recognizes the duplication and removes it automatically). I’ll raise the issue in the linked thread.


#10

In my experience, most of the time it works in many different configurations :stuck_out_tongue: But IMHO you should follow the right semantics :smile:


#11

Thanks for reply. It works now very good. Now I can use my Raspberry for many many things :grin: