[Cialug] LetsEncrpt & Android

Jeffrey Ollie jeff at ocjtech.us
Fri May 7 00:35:28 UTC 2021


The web server isn't returning the intermediate certificate. Certbot
usually puts both the local certificate plus the intermediate certificate
in a file called "fullchain.pem". Feed that into your webserver and it
should do the right thing.  Compare:

$ openssl s_client -connect navvf.org:443
CONNECTED(00000003)
depth=0 CN = navvf.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = navvf.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = navvf.org
verify return:1
---


*Certificate chain 0 s:CN = navvf.org <http://navvf.org>   i:C = US, O =
Let's Encrypt, CN = R3*
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgISA/nQ3zo+ZqY/DW6bAmwcUl3FMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD

versus:

$ openssl s_client -connect www.dmacc.net:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dmacc.net
verify return:1
---




*Certificate chain 0 s:CN = dmacc.net <http://dmacc.net>   i:C = US, O =
Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3   i:O =
Digital Signature Trust Co., CN = DST Root CA X3*
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFKDCCBBCgAwIBAgISA/2403iNztn7SpVYZXA8wQNFMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD

On Thu, May 6, 2021 at 3:39 PM Jared Brees <fromj2sitsme at msn.com> wrote:

> I just tested on Android 10 (patch level 2019-10-06 / Google Play system
> update 2021-04-01), with Chrome 90(.0.4430.91) and it worked fine, no
> issues.
>
> Perhaps it's a single Android device? Or if it's multiple, what's the
> common denominator? Wrong time? Network blocking some traffic?
> ________________________________
> From: Cialug <cialug-bounces at cialug.org> on behalf of Jonathan A.
> Kollasch <jakllsch at kollasch.net>
> Sent: Thursday, May 6, 2021 13:21
> To: Central Iowa Linux Users Group <cialug at cialug.org>
> Subject: Re: [Cialug] LetsEncrpt & Android
>
> On Thu, May 06, 2021 at 11:16:58AM -0500, L. V. Lammert wrote:
> > Have a valid LE CERT (navvf.org), .. yet Android devices seem to not
> have
> > the root chain (certificate issuer unknown), .. WTF?
>
> Is your server properly providing any and all intermediate certificates
> too?
>
> Some client-side certificate bundles include the LE intermediate, but
> some only include the root CA that signed the intermediate that signed
> your LE certificate.
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>


-- 
Jeff Ollie
The majestik møøse is one of the mäni interesting furry animals in Sweden.


More information about the Cialug mailing list