SSL works fine on desktop but on mobile gives not safe notice!

I got my letsencrypt ssl through a third party

My domain is: f1ian.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: godaddy

I can login to a root shell on my machine (yes or no, or I don't know): FTP filezilla

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot, did not work

I guess old version of android mobile phones are giving unsafe notice.

The f1ian.com domain is using the non-default certificate chain, which does not have the old-android compatibility intermediate certificate:

pi@raspberrypi:~ $ openssl s_client -connect f1ian.com:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = f1ian.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = f1ian.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---

I suggest to test the server with the default chain.

thank you so much for the info ! so how can I test the default one ? and it seems the certbot can not be used with godaddy

May be the control panel with which you get the certificate originally has a settings for that?

I guess a better question even is:

What does:

.. mean exactly?

goddady said they do not offer support for letsencrypt so i must as i understood install certbot, but it not clear for me how to do so in the documentation as the documentation talks about the commands

following this guys tutorial Free SSL Certificate for GoDaddy - Install letsencrypt SSL - YouTube

So it's using a webbased, very manual approach. Two things:

• This manual approach is not recommended, but GoDaddy makes it very hard to automate things;
• The tutorial speaks about two certificates being present in the "certificate output" of PunchSalad where it currently should have three certificates in the output! So the copy/paste part of the "second" certificate should probably be "second and third" certificate.

As I said, this manual approach is not recommended. It's also very cumbersome. @griffin, a fellow volunteer on this Community, has written an ACME client completely written in PHP which can be used on your GoDaddy server and also issue a certificate! While it still contains manual parts (it should be possible to automate this on GoDaddy though, however, there are just 24 hours in a day and time is sparse, so it hasn't been developed yet..), it is much easier to work with compared to using PunchSalad. You can find the mentioned client CertSage here:

ok I understand thank you

I read in some thread here in the letsencrypt community forum, that it is possible to get shell access to godaddy server. With shell access you can freely select the ACME client to automatize the certificate issuance.

Thanks for the ping, @Osiris.

As the resident GoDaddy guy, I can say that GoDaddy has some peculiarities that I designed CertSage to cleanly handle. If you're using cPanel shared hosting, you can access a terminal through cPanel, which only appears in the Advanced section when you enable SSH. However, without root access, which you don't have, the large majority of ACME clients won't work. CertSage does not require root access.

Generally, you should avoid third-party, website-based ACME clients like an infectious disease unless you feel like auditing thousands of lines of Javascript to be sure your keys aren't being leaked. They also require extra, manual steps, which is completely ridiculous and unnecessary. With CertSage you won't ever need to manually create TXT records or verification files. The software handles that for you, like it's supposed to.

I think you said godaddy had problem with multiple intermediate certs so they picked short chain without DST root

can they process long chain with multiple intermediates?

Not sure honestly. They handle the CA bundle fillin by themselves. I'll have to test. I always paste all three certs returned by Boulder into the certificate box, but they seem to ignore the last two. I think I'll test overriding their automatic fillin of the CA cert with the two intermediates.

thanks griffin for sharing ! I'll test it out ! so it would eliminate the problem of not safe on mobile if i installed the certificate through your script ?

CertSage is a first-party ACME client, which means that all sensitive materials, such as your ACME account and certificate private keys, are generated directly on your webserver by the client. Moreover, unauthorized parties are prevented from using CertSage on your behalf by a 96-bit random code that changes every time CertSage is run. Only someone with access to CertSage's data folder (where your ACME account keys, certificate key, and certificate are saved) can retrieve that code.

CertSage is also the simplest way to get your certificate when using GoDaddy shared hosting. You can have your certificate within minutes of downloading CertSage using your favorite web browser on your smartphone. I'm not joking when I say that I've renewed and installed a certificate using my smartphone while waiting for a latte at Starbucks.

yes i have tried it, it is great but there is a small issue, i did it first time for my main domain in the public_html, then i decided to delete it again and insert another domain inside the main domain, not a subdomain but a domain. So i tried it again and it gave me authorized failed nevertheless i have deleted all certificates and all code.txt and responses and started over. So what should i do ?

Certsage worked fine, but i am still getting the not safe on my android phone from google chrome with a https bared in red. How can we solve that?

The web server for the domain f1ian.com is still serving the short chain without the intermediate certificate "ISRG Root X1" signed by "DST Root CA X3". Have you got the proper certificate chain? Did you apply that to the web server?

@FirasHelou90, try using:

-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISA0AFuB20aRO3s8Ad1vB1nOniMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNV
BAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJSMzAeFw0yMTA5MjYwNzIx
MTdaFw0yMTEyMjUwNzIxMTZaMBQxEjAQBgNVBAMTCWYxaWFuLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKZnm3GS4/xnasgzz5RFQmm0lgnGADmrOIiWVIReSk8V0ArCqCfOVwy7
0gI9qbey4U0AJckKThor8jN74x3a7VewUeSkxLawsFOCiTR3pQ9oxa0y/H9GbypDB+NuJ4xcvB8I
rmuWmwlLlhI/6gBhxgY8lLxfvCkHrRwoy20AscNH9YELb7Q2ckEeXkUWAMsZ6WGFAnkvVA9L5fUv
KCtf8NAFpRiHebjDpKLpbY4TYfIH/3B6f8/Q+OGziPlY5P++4NtelELklv1VhNQSCMjwo4yqpwwf
rqHnFRLkD7Fef9/THt4iQ673+Qg1kxB2qkI7daJlswpEw39JNDHNT2V0rAECAwEAAaOCAlIwggJO
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUSWC7h/ejM6ozlNyJ+LDlR+CHQG0wHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j
ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIwYDVR0RBBwwGoIJZjFp
YW4uY29tgg13d3cuZjFpYW4uY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHWeQIE
AgSB9ASB8QDvAHYAXNxDkv7mq0VEsV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF8ITGxugAABAMA
RzBFAiEA/HZFJKb6rn9Vuu4oPNWJ88Lrzb/sBpiP60+Cbmu9x3wCIGfHsZi2KzYpZ8+ROlvieVL8
CQHP5NP9TSlWaI9qpcztAHUAfT7y+I//iFVoJMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAF8ITGx
5wAABAMARjBEAiBWhrVCf//XqDEUujjASvzNfLXSsuYj9n6rAahFY3VDMgIgBErkkPmnPElrL9Ps
RzX6G9gu947O479wkNMv3l8YpqEwDQYJKoZIhvcNAQELBQADggEBAFQD2aoUuRCnrdfTDIg2v2Mh
tVQAa0rPoj18oWenrs4oMVfp4MoOOLWj4Sy9KAlC6PXSauN7afgrHnqzPYE094PqYsLbLGek1CDz
2DdoMSY/D/YKoW636T2p8L/6wgPpLQWU/2N8EEFcQHrw3srsWLt472Ga04vbAgAVEcd0sxGG+vK9
UOIUVzmeKezfD1FBEjfB5QM6583522AW89k3z/tADPX1P3EkEFp4pZIlAmxExFWZGwLrD3/1DiSr
3zHd6CH5BW5RTnHY7EXm12ltAVMEvdNfFgU/E88C2xDcWrGlJUsqVcg3orcIeZTmZyteMnqQgaKo
voXhUQPKQI2/+dg=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFowMjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxl
dCdzIEVuY3J5cHQxCzAJBgNVBAMTAlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
uwIVKMz2oJTTDxLsjVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWC
PEKpTm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnBU840yFLu
ta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7gcWt0oZYPRfH5wm78Sv3
htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Z
s5Od3FOnBv5IhR2haa4ldbsTzFID9e1RoYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB
/wIBADAOBgNVHQ8BAf8EBAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8v
YXBwcy5pZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gk
eyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4G
CCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMDwGA1UdHwQ1MDMw
MaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0O
BBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAN
BgkqhkiG9w0BAQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8S8MXjohyc9z9
/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfLqjBstzLhWVQLGAkXXmNs+5Zn
PBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9pO5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk
+uyOy2HI7mNxKKgsBTt375teA2TwUdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1
cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT
rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9
UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy
xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d
utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ
MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug
dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE
GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw
RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS
fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

It is very common with GoDaddy to have webroot directories for other domain names inside of public_html. You need to put a copy of certsage.php inside of the webroot directory for the other domain name as well. For example, let's say you have anotherdomain.com and its webroot directory is public_html/anotherdomain. You would put a copy of certsage.php in public_html/anotherdomain then modify line 16 of that certsage.php from this:

$dataDirectory = "../CertSage";

to this:

$dataDirectory = "../../CertSage";

That way CertSage will look two levels up for its data directory instead of one level up as the default. You would then visit anotherdomain.com/certsage.php and proceed in the usual way. Note that once you acquire a certificate for any domain name, you should install it before proceeding to acquire a certificate for a different domain name since CertSage will overwrite the certificate.crt and certificate.key in its data directory each time it acquires a certificate for you.