Domain: elearning.univ-bejaia.dz/
We have a problem with our site on some devices, sometimes the site is displayed correctly and sometimes the message "your connection is not private" is displayed as you can see on the attached screenshots. This is not the problem of the absence of the ISRG Root X1 root certificate because sometimes the site works fine on these devices, knowing that the Let's encrypt and Whynopadlock sites are displayed correctly on these devices and before our site also worked fine on these devices even after Let's encrypt changed its root certificate. Apparently the problem is at our level but I do not know exactly what is it. The SSL Labs and Whynopadlock sites do not display any errors.
I have noticed this issue on devices running the following android versions:
4.4.2
6.0
7.0
The ISRG X1 Root Certificate, which your system is using, is only compatible with Android 7.1 and higher. See:
To provide support for older Android devices, you must chain your trust to the expired DST Root. Older Android devices ignore the expiration date, newer devices and SSL Libraries will typically ignore this and build a "short-circuit" path to the ISRG Root, which is installed in their systems.
This is the default behavior of LetsEncrypt and Certbot, so you or your team decided to override it at some point, or are using an ACME client that has decided to do that. Please reference the numerous Android and Root Expiry threads on this forum for more details.
If you already had to switch from the longer/default chain to the shorter/alternate chain, going back will only reinstate whatever problems were resolved by switching to the shorter/alternate chain.
My advice, at this time, is to switch to another (free and ACME friendly) CA - which can provide a completely different trust chain [that should be useable by all your clients].
Thank you for your answers
in our case, we manually upload the server certificate as well as the intermediate certificates into Fortiweb. After Let's encrypt changed its root certificate, I only use the R3 intermediare certificate signed by ISRG Root X1 which is represented by Inter_cert_1 in the attached screenshot. Do I also need to add the ISRG Root X1 certificate signed by DST Root CA X3? who is represented by Inter_Cert_2 in the screenshot below?
How do you explain that sometimes the site is displayed correctly and sometimes the message "Your connection is not private" is displayed. Normally either it works or it doesn't, right?
For example I took the screenshot below from a phone that runs on android 4.4.2
When I access your website it's currently serving the modern chain ( Leaf > R3 > ISRG Root X1) this is only compatible with Android after 7.1 which has a copy of the ISRG Root X1 root installed. Some devices may see the R3 and resolve the rest of the chain correctly, some may not.
If you want old android compatibility you need Leaf > R3 > ISRG Root X1 (signed by DST Root CA X3), so for that you need to serve your Leaf certificate, the R3 AND the ISRG Root X1 (signed by DST Root CA X3), so that the path explicitly leads to DST Root CA X3.
For the broadest range of compatibility you may want to consider switching to a different CA as already mentioned by others. Compatibility varies by CA.
