Site Identity Not Verifiable


#1

Lets Encrypt was installed on our managed cloud server by host - Informaniak and updated automatically. Most of the users of our site, www.imeela.com, access the site via mobile, smartphones and tablets.

Users with Blackberry Q10 gets this warning message:

“Site identity not verifiable. This may not be trustworthy. Personal information entered on this site may not be protected”.

Whereas Android user don’t see a warning sign and when they view certificate, it says: “The identity of this website has been verified by Let’s Encrypt Authority X3 but does not have public audit records”

What could be cause and How can we solve it?


#2

if you check Which browsers and operating systems support Let’s Encrypt then it’s known that Blackberry Q10 won’t work (because the main signing cert isn’t in the default recognised list on that OS ). I’m not sure there is a way to “solve” it I’m afraid, it depends on what sort of solution you are after. You could redirect Q10 users to http and not have https at all for them if that’s a solution?


#3

Thank you for the reply.
I will check with our developers if this will a possible solution


#4

That’s not a solution. You can’t redirect them if they’re already on HTTPS and can’t verify the certificate.


#5

I’m all for suggestions of better solutions if you have any.

Perhaps I could have worded it better. At the moment everything is redirected from http to https … simply don’t do the redirect of it’s on a blackberry Q10, and allow them to use http rather than redirecting to https.


#6

Don’t forget not to add any HSTS headers in that case either :slight_smile:


#7

Probably best to use a different CA for the time being if you have lots of Blackberry users. If you use HTTP for them but HTTPS for everyone else they won’t be able to follow links to your site posted by HTTPS users.