QUIC.cloud problems with Android <7.1

dfuytn · April 29, 2022, 6:27pm

I am using QUIC.cloud for connecting LSCache to them for DNS, SSL and CDN. The certificate chain they installed causes browser requests from Edge or Chrome browsers on Android less than 7.1 to cause a "not trusted" error. I understand that LetsEncrypt has a solution for this and was wondering how I could get the proper chain from you so I could install it manually through QUIC.cloud (they make provision for third party certificates). I realize QUIC.cloud uses LetsEncrypt, but for some reason their deployment doesn't work so I thought if you could supply me with a working certificate, I could install it manually through their manual entry process. They can manually install the certificate and private key.

My domain is: clearvoiceu.net

I ran this command: clearvoiceu.net on an Android phone < 7.1

It produced this output: On Edge and Chrome, certificate was not trusted

My web server is (include version): OpenLiteSpeed

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: RunCloud connected to Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): using QUIC.cloud for DNS, SSL & CDN

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): N/A

9peppe · April 29, 2022, 6:32pm

Your website is using the "short chain" instead of the default one. This is expected.

$ openssl s_client -connect clearvoiceu.net:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = clearvoiceu.net
verify return:1
---
Certificate chain
 0 s:CN = clearvoiceu.net
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr 26 16:31:36 2022 GMT; NotAfter: Jul 25 16:31:35 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
---

Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)

dfuytn · April 29, 2022, 6:34pm

How can I get it to use the long chain so Android <7.1 will be OK?

9peppe · April 29, 2022, 6:36pm

I don't know QUIC.cloud, so I don't know if you can do it by yourself or you have to ask them.

dfuytn · April 29, 2022, 6:37pm

They make provision to manually install your own certificate, so I was wondering if I could get a long chain certificate and install it using QUIC.cloud's manual process?

9peppe · April 29, 2022, 6:39pm

Probably, but you'd have to repeat the process every two months.

I think you should complain.

dfuytn · April 29, 2022, 6:41pm

How would I go about asking LetsEncrypt for a long chain certificate without using certbot?

9peppe · April 29, 2022, 6:44pm

If you are using certbot already, the certificate you have is probably using the long chain already.

If you don't like certbot you can use another acme client, but there's no human interface to ask for certificates, like a paid CA.

dfuytn · April 29, 2022, 6:49pm

Are all the certificates stored in the same place? I can see server.crt and server.key. There are two certificates in server.crt and one in server.key. In other words, would the hosting provider store a certificate in one place and the CDN store one in another place. If so, I can install certbot and have it install the long chain certificates.

9peppe · April 29, 2022, 7:51pm

Certbot doesn't use those filenames, so I don't know.

The certificate and key can be the same, and the only difference be the chain.

rg305 · April 30, 2022, 3:46am

It depends on how much control you have over the system.
If none, ask the provider for assistance.
If root, then you can control the ACME client and switch chains OR even to another ACME CA.
If somewhere in between, it really depends on the access you have to the location of the cert files, the amount of scripting that can be done and your willingness to roll your sleeves up and create your own solution.

OR

You might be able to put the site behind Cloudflare CDN and be done with it.
[note: I'm not 100% certain Cloudflare supports QUIC - but it's 2022 and they should]

system · May 30, 2022, 3:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.