SSL Certificate not trusted on mobile

Hello,

please browse to my website using your MOBILE BROWSER. Notice how the SSL is not displaying properly.

If you browse to the website using desktop browser, there is no error.

My domain is: https://bluehaven.dental/

I ran this command: n/a

It produced this output:

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest version of certbot

1 Like

It's displaying perfectly on my mobile browser (Firefox on my iPhone), as well as on desktop. If you're using a browser that doesn't support SNI, though, it looks like there will be problems:
https://www.ssllabs.com/ssltest/analyze.html?d=bluehaven.dental

3 Likes

@danb35, thanks for checking out my URL.

I'm using Google Chrome: 96.0.4664.104.

I downloaded an android update.

I'm now using Google Chrome

97.0.4692.70

I browsed to the website and still receive the error.

1 Like

@danb35 - take a look at the results from SSLLABS.

https://www.ssllabs.com/ssltest/analyze.html?d=bluehaven.dental

There is an alternative name mismatch for the SNI.

app.getflywheel.com *.getf.ly *.getflywheel.com *.sitesandservices.com sitesandservices.com MISMATCH

More importantly, your server is sending the "short chain" (ssl checker) which does not support older Android devices. The default is the "long chain" which does support old android so someone specifically chose that.

I am not familiar with your server "Flywheel" (from the response headers) so do not know how to advise further. Here is good background on the choice of these two chains

4 Likes

@MikeMcQ, how do you specify the long-chain within the initial LetsEncrypt terminal config. What are the correct arguments?

Additionally, how were you able to determine the website is using the "short chain" (based on your decode.link). Is this through the standard output (e.g. less lines, shorter output)

As for knowing it is the "short chain", the ssl checker link I used showed your chain ending in ISRG Root X1 (just 2 certs). The long chain ends in DST Root CA X3 (3 certs). Compare what your chain looks like to using this website name on the ssl checker site. Should be clearer.

Do you know what command you used with Certbot? And, do you know how to configure your nginx server (per your post)? I see "Flywheel" in the response headers so was not sure.

4 Likes

Do you know what command you used with Certbot? And, do you know how to configure your nginx server (per your post)? I see "Flywheel" in the response headers so was not sure.

I didn't setup this website. I'm only investigating this for my own learning. Although I did email the website owner.

I'm guessing getflywheel.com is either an app extension for SEO or a Wordpress web hosting platform.

Assuming for the moment the environment is:
ubuntu + nginx (latest version) + letsencrypt (latest version)

what is the correct argument for the LONG chain

There is nothing you can do to fix the server's chain so it works with your device. That is something that must be done on the server.

It looks like they have a CDN (fastly?) in front of their server. If so that is more complex. Refer the site owner to this thread and we can advise. There is no evidence to conclude Ubuntu, nginx, or how they obtained Let's Encrypt certs.

curl -I https://bluehaven.dental
HTTP/2 200
content-type: text/html; charset=UTF-8
cf-edge-cache: cache,platform=wordpress
link: <https://bluehaven.dental/wp-json/>; rel="https://api.w.org/"
link: <https://bluehaven.dental/>; rel=shortlink
x-xss-protection: 1
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
x-fw-server: Flywheel/5.1.0
x-fw-dynamic: TRUE
x-fw-hash: tmxmixueb9
x-fw-version: 5.0.0
server: Flywheel/5.1.0
x-cacheable: YES
fastly-restarts: 1
accept-ranges: bytes
date: Thu, 06 Jan 2022 02:54:05 GMT
x-served-by: cache-iad-kjyo7100030-IAD
x-cache: MISS
x-cache-hits: 0
x-timer: S1641437644.565631,VS0,VE1585
vary: Accept-Encoding, Accept-Encoding
x-fw-serve: TRUE
x-fw-static: NO
x-fw-type: FLYWHEEL_BOT
content-length: 159836
4 Likes

This is my point.

I'm offering recommendations to the client.

Assuming I can use their Ubuntu + NGINX + certbot server. What is the correct argument

I don't understand. Are you the hosting service? Do you operate the CDN? Does the CDN terminate TLS? Do you know which client they used to obtain the certs (there are dozens)?

4 Likes

I don't understand. Are you the hosting service? Do you operate the CDN? Does the CDN terminate TLS? Do you know which client they used to obtain the certs (there are dozens)?

I have no idea on these things. Although we can make some basic assumptions. Assuming flywheel is a CDN, it's probably using some custom type GUI which 'auto deploys' (based on their scripting).

I'm recommending to the website owner to deploy a 'dev' copy of their site. https://dev.mydomain.com on a different server like Digital Ocean, through clean Ubuntu and running Certbot again.

Check the differences between the two deployments.

It's also quite possible the CDN could have preferences for the version of CERTBOT (LONG vs SHORT) and the initial developer chose the SHORT cert.

Many things are possible. I do not wish to play a guessing game. I am a volunteer helping when I can.

Someone went out of their way to create the short chain. They may have even had a very good reason. There are various clients and even various ways to setup a short chain - it can be and sometimes is done by editing the longer chain. One way to do it with Certbot is to use the --preferred-chain 'ISRG Root X1' option.

I don't see how this is helpful to resolve any particular problem. If you want to learn about these chains there are numerous threads on this forum on this topic.

If the server admin shows up here I am sure someone would advise - maybe even me.

4 Likes

I'm peering into my crystal ball...

:crystal_ball:

Oh no!

:boom:

I dropped it!

:scream:

It's rolling away!

:bangbang:

Help!

:sob:

3 Likes

What say you seer?

@discobot fortune

3 Likes

:crystal_ball: Ask again later

4 Likes

HAHA!

I found your crystal ball and put it back in it's place.

The letsencrypt community fixed the problem. I marked the solution from the post above.

2 Likes

Yes, @MikeMcQ you're a great volunteer.

I marked your comment as the solution.

As for myself - I was not aware until this forum convo about the long vs short chains.

It was great for you to add the LINUX arguments.

Since I don't manage the website in question (about the forum post), I'll experiment with the arguments on my own PC environment, so I can learn more.

Thanks for this

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.