Valid certificate deemed invalid in Android app

Last August, my server crashed. I had to reinstall and I generated new certificates for my sites.
My Android app tries to contact this server www.yprgames.com, and now I see a message that the server cannot be verified. It lists certificate details, and those say the certificate is valid until 13-Jan-2022.
I suspect somewhere (in the validation chain?) there is a leftover from the old certificate.
How do I check that, and how do I remove that leftover?

The same happened a few weeks ago for a less important site (back1.yprgames.com). Before that happened, I got expiry mails for that domain but I ignored those, as there was a new certificate already.
I then tried revoking and deleting the current certificate and generate a new one - didn't help.
Eventually, I "fixed" it by taking down that server.

Uninstall and re-install of the app doesn't help.
Checking the certificate in the browser on the device lists the valid one.
It may be relevant that the app was developed using Adobe AIR. The iOS version of the app don't seem to have the same problem.
I didn't get any expiry mails this time for this domain (www.yprgames.com).

What would be the correct solution to fix this and remove the leftover from the old certificate?

1 Like

You can check with openssl command the certificates the server provides:

$ openssl s_client -connect www.yprgames.com:443 | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = yprgames.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = yprgames.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
^C

So, the server provides the current default signing certificate chain. That includes an ISRG X1 to the expired DST X3 cross-sign certificate. That provides compatibility for old Android devices, but it may break some other old/buggy clients.

Do not try to revoke certificate unless its key is compromised and you suspect of the misuse of the certificate. Normally, you do not deal with it, the certificate will just silently expires.

You may want to install the alternate certificate chain in the server, and check how the applications behaves after that. (It is strange that the Android version is failing and not the iOS, with that chain I am suspected the reverse to happen.)
For a test, make a backup of the certificate chain, just remove the last certificate and reload the server.

4 Likes

@yrozijn I agree with what @bruncsak said. Just wanted to add here is further info describing the tradeoffs between the default "long chain" and the "short chain".

One conclusion is if you need to support "old Android" but also need the short chain for other apps you may have to switch to another Certificate Authority.

4 Likes

Thanks for your reply.
I suspect the problem was actually a delayed effect of the previous problem (with back1.yprgames.com). I "fixed" that one by updating the app to use a different subdomain and removing back1 - existing versions of the app would just not be able to connect.
Because of other problems I wasn't be able to upload the new app version to the Play Store yet, but I found that the version (that contacts the new subdomain) works fine without showing that message.
I now trust that the upcoming app update will fix the problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.