It's displaying perfectly on my mobile browser (Firefox on my iPhone), as well as on desktop. If you're using a browser that doesn't support SNI, though, it looks like there will be problems: https://www.ssllabs.com/ssltest/analyze.html?d=bluehaven.dental
More importantly, your server is sending the "short chain" (ssl checker) which does not support older Android devices. The default is the "long chain" which does support old android so someone specifically chose that.
I am not familiar with your server "Flywheel" (from the response headers) so do not know how to advise further. Here is good background on the choice of these two chains
@MikeMcQ, how do you specify the long-chain within the initial LetsEncrypt terminal config. What are the correct arguments?
Additionally, how were you able to determine the website is using the "short chain" (based on your decode.link). Is this through the standard output (e.g. less lines, shorter output)
As for knowing it is the "short chain", the ssl checker link I used showed your chain ending in ISRG Root X1 (just 2 certs). The long chain ends in DST Root CA X3 (3 certs). Compare what your chain looks like to using this website name on the ssl checker site. Should be clearer.
Do you know what command you used with Certbot? And, do you know how to configure your nginx server (per your post)? I see "Flywheel" in the response headers so was not sure.
Do you know what command you used with Certbot? And, do you know how to configure your nginx server (per your post)? I see "Flywheel" in the response headers so was not sure.
I didn't setup this website. I'm only investigating this for my own learning. Although I did email the website owner.
I'm guessing getflywheel.com is either an app extension for SEO or a Wordpress web hosting platform.
Assuming for the moment the environment is:
ubuntu + nginx (latest version) + letsencrypt (latest version)
There is nothing you can do to fix the server's chain so it works with your device. That is something that must be done on the server.
It looks like they have a CDN (fastly?) in front of their server. If so that is more complex. Refer the site owner to this thread and we can advise. There is no evidence to conclude Ubuntu, nginx, or how they obtained Let's Encrypt certs.
I don't understand. Are you the hosting service? Do you operate the CDN? Does the CDN terminate TLS? Do you know which client they used to obtain the certs (there are dozens)?
I don't understand. Are you the hosting service? Do you operate the CDN? Does the CDN terminate TLS? Do you know which client they used to obtain the certs (there are dozens)?
I have no idea on these things. Although we can make some basic assumptions. Assuming flywheel is a CDN, it's probably using some custom type GUI which 'auto deploys' (based on their scripting).
I'm recommending to the website owner to deploy a 'dev' copy of their site. https://dev.mydomain.com on a different server like Digital Ocean, through clean Ubuntu and running Certbot again.
Check the differences between the two deployments.
It's also quite possible the CDN could have preferences for the version of CERTBOT (LONG vs SHORT) and the initial developer chose the SHORT cert.
Many things are possible. I do not wish to play a guessing game. I am a volunteer helping when I can.
Someone went out of their way to create the short chain. They may have even had a very good reason. There are various clients and even various ways to setup a short chain - it can be and sometimes is done by editing the longer chain. One way to do it with Certbot is to use the --preferred-chain 'ISRG Root X1' option.
I don't see how this is helpful to resolve any particular problem. If you want to learn about these chains there are numerous threads on this forum on this topic.
If the server admin shows up here I am sure someone would advise - maybe even me.
Ask again later