SSL on Mobile isn't trusted


#1

SSL works fine on browsers, but when I open the site on mobile it says that the site SSL isn’t trusted.

SSLLabs test can be found here: https://goo.gl/y4bCKU


#2

Note the “This server’s certificate chain is incomplete. Grade capped to B.” Missing chain certificates can lead to issues with browser that haven’t previously visited a site using the same chain certificate (they’re cached).

Depending on your apache version, you want either SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem or SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem (instead of cert.pem) in your configuration. You can use Mozilla’s SSL Configuration Generator to determine which of the two would be right for your apache version.


#3

Thank you for the fast reply.

According to the configurator generator (https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.20&openssl=1.0.1e&hsts=yes&profile=modern) I need SSLCertificateFile /etc/letsencrypt/live/correctdomain.com/fullchain.pem but it still isn’t working.

Is there another reason why it could not work on mobile? Or does it take some hours before the changes are live? Yes I am restarting my server every time I made a change


#4

The change should be instantaneous after you restart your web server. SSL Labs still shows the chain issue, so something didn’t work out. The mobile error is definitely due to the chain issue. I assume you replaced your existing SSLCertificateFile directive, and didn’t add a second one?

FYI, you also have an AAAA record (IPv6) that does not seem to accept connections. Most likely unrelated, but could cause other issues for users on IPv6 networks.


#5

I changed the existing one, it looks like this now:

SSLCertificateFile /etc/letsencrypt/live/correctdomain.nl/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/correctdomain.nl/privkey.pem
SSLCACertificateFile /etc/letsencrypt/live/correctdomain.nl/chain.pem

I only changed the first row, the other rows were there by default.
And thank you for telling about the IPv6 issue, I’ll make sure to take a look at that after I get the SSL working.


#6

That looks fine. Any chance there’s another SSLCertificateFile directive somewhere in /etc/apache2 (or /etc/httpd if this is CentOS)? grep -r "SSLCertificateFile" /etc/apache2 should do.


#7

grep -r "SSLCertificateFile" /etc/httpd" returns:

[root@server etc]# grep -r "SSLCertificateFile" /etc/httpd
/etc/httpd/conf/extra/httpd-ssl.conf:#   Point SSLCertificateFile at a PEM encoded certificate.  If
/etc/httpd/conf/extra/httpd-ssl.conf:SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
/etc/httpd/conf/extra/httpd-ssl.conf:#SSLCertificateFile /etc/httpd/conf/server-dsa.crt
/etc/httpd/conf/extra/httpd-ssl.conf:#   the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf/extra/httpd-vhosts.conf:    SSLCertificateFile /etc/letsencrypt/live/correctdomain.nl/fullch      ain.pem
/etc/httpd/conf/original/extra/httpd-ssl.conf:#   Point SSLCertificateFile at a PEM encoded certificate      .  If
/etc/httpd/conf/original/extra/httpd-ssl.conf:SSLCertificateFile "/etc/httpd/conf/server.crt"
/etc/httpd/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
/etc/httpd/conf/original/extra/httpd-ssl.conf:#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"
/etc/httpd/conf/original/extra/httpd-ssl.conf:#   the referenced file can be the same as SSLCertificate      File

#8

Any chance /etc/httpd/conf/ssl.crt/server.crt is a copy of /etc/letsencrypt/live/correctdomain.nl/cert.pem? :smile:

You can probably disable all the SSLCertificateFile directives except for the one in httpd-vhosts.conf and see if that changes anything.


#9

When I comment the SSLCertificateFile in: /etc/httpd/conf/extra/httpd-ssl.conf
And restart the httpd using sudo systemctl restart httpd
I get:

[root@server original]# systemctl status httpd.service -l
httpd.service - The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2016-06-30 20:37:08 CEST; 31s ago
Process: 31055 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 29626 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS)
Process: 31054 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 31054 (code=exited, status=1/FAILURE)
Jun 30 20:37:07 server.domain.nl systemd[1]: Starting The Apache HTTP Server...
Jun 30 20:37:08 server.domain.nl systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Jun 30 20:37:08 server.domain.nl kill[31055]: kill: cannot find process ""
Jun 30 20:37:08 server.domain.nl systemd[1]: httpd.service: control process exited, code=exited status=1
Jun 30 20:37:08 server.domain.nl systemd[1]: Failed to start The Apache HTTP Server.
Jun 30 20:37:08 server.domain.nl systemd[1]: Unit httpd.service entered failed state.
Jun 30 20:37:08 server.domain.nl systemd[1]: httpd.service failed.

I have no idea what that means, but can that be a reason why SSL isn’t working on mobile?


#10

I guess there’s some issue with the configuration now, and apache is failing to start.

My best guess is there’s a <VirtualHost> tag in original/httpd-ssl.conf and/or extra/httpd-ssl.conf with SSLEngine On and apache is complaining that there’s no certificate file set. You can probably get rid of everything between (and including) <VirtualHost> and </VirtualHost> in those two files.


#11

This seems to work for me…

SSLCertificateFile /etc/letsencrypt/live/domain.com/cert.pem
SSLCACertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem

(Apache 2.4)


#12

After restarting Apache everything back to normal … Thank you @pfg


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.