Shared Server Issues with Chrome on Android

Hi all,

(Firstly I’ve already done a bit of research on this however I can’t tweak the shared hosting server config - this may just mean that I’m screwed but I said I’d ask anyways … )

So I’ve got a few of my own sites setup on a cloud box with one webhost … I control everything on the box. They are getting an A+ rating on their certs.

I’ve also got a client site that is setup on shared hosting on a completely different host / system (Their uptime is pretty amazing and my own cloud box is for messing about with and hosting personal sites)

The shared hosting is running Apache 2.2 and I’ve pretty much no access to configure anything on this apart from uploading my fullchain.pem and privkey.pem. Now this works out perfectly except … Chrome on Android doesn’t like it (Desktop browsers seem to be happy out / Firefox on Android and so on) Now I’ve tried to do my research and it seems like I need to configure the server to have the chain file sent as well ( which is included in the fullchain.pem file I believe but it’s something that Chrome on Android doesn’t seem to like when it’s included this way? )

If I go to one of my other sites with the A+ rating and then I go back to my shared hosting site it’ll work fine so it seems like the chain is getting cached once I’ve visited another properly configured letsencrypt site?

Has anyone come across this already? and is there anything I can do?

Thanks,
James

Apache 2.2 expects the certificate and chain in separate files (cert.pem and chain.pem, if you used certbot), not in a single file like Apache 2.4. Now, how you actually achieve that would depend on your shared hosting, but they should have provided a separate way for you to upload the chain file.

I thought it was the case that Apache 2.2 wouldn’t like the fullchain but someone else I spoke with mentioned it should work so I was hoping they were right.

Unfortunately the CP is using Odin / Parallels so it’s rather limited in what I’m able to do from the back end. Basically able to give the full chain and the private key … I’ll check if they’ve got any details on the roll out of Apache 2.4 or allowing the ability to add a chain file though I suspect not :frowning:

Was going to try to upload a screenshot but it’s basically Step 2 / 3:
Certificate (Browse)
Private Key (Browse)

and without the chain file I suspect everything else will break and it’s nearly 23:00 here so I’m not going to try that. Oh well here’s hoping that lots of Android users have visited other Let Encrypt encrypted sites recently :smiley:

Thanks for the response
James

Hi @Forbairt,

If the hosting provider only lets you upload two files and the result of uploading fullchain.pem and privkey.pem is an invalid chain (you can check that explicitly with the SSL Labs scanner at https://www.ssllabs.com/ssltest/ — maybe that’s what you already did!), I’d suggest taking it up with then because they’re probably doing something wrong in their import/server configuration. Being able to provide an intermediate certificate is an important part of getting a correct HTTPS configuration that clients will be able to accept, and the hosting provider ought to be able to figure out how to do that!

Hi schoen,

Thanks for the response.

Yes I'd tried The SSL Labs - SSL Test and that's the A+ and B ratings I was talking about.

The B rating down to ...

The server does not support Forward Secrecy with the reference browsers

...

This server's certificate chain is incomplete. Grade capped to B.

I've logged a support query with my hosting provider so hopefully they'll be able to sort it :slight_smile:

I can also install a CA Certificate though to be honest now I'm just getting confused so I'll wait to hear back from them.

Many thanks for the response
James

So big thanks for the help I guess I kinda wanted to talk out loud about it (or even type)

Yes I ended up contacting support with my hosting company and they had me sorted rather quickly.

There’s a CA Certificate field available in another place in the CP and I was able to add the chain.pem to this. So using the fullchain.pem and privkey.pem in one place and this chain.pem added to the CA Certificate.

I guess it’s a guess of not fully understanding things.

I’ve gone from a B to an A- rating on the site.
I’m waiting to hear back if any people have issues connecting to the site but hopefully that’s the end of that for now :slight_smile:

I’ll probably do a bit of a write up on it all on my blog (as I don’t want to go mentioning hosting providers here)

James

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.