0

I have an SSL certificate, which is correctly working with all major desktop browsers (IE, Chrome, FF), and on Windows Phone and iOS, but on Android.

I guess I've installed my certificate in the right order, because it shows the certificate hierarchy as followed on the server:

(root) AddTrust External CA \ (intermediate) Comodo RSA Certification Authority \ Comodo RSA Domain Validation Secure Server CA \ myunluckydomainnameexample.com

I know, that only AddTrust is in the list of Android's root CAs, so it should be a problem with the intermediate ones. How can I investigate it further on my Windows 2008 R2?

I found the openssl tool: 

 $ openssl s_client -connect myunluckydomainnameexample.com:443 CONNECTED(00000003) depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=skaelede.hu i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority --- Server certificate -----BEGIN CERTIFICATE-----

I've compared it's output with a known working site, https://ssllabs.com and it gives the following output:

$ openssl s_client -connect ssllabs.com:443 CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.ssllabs.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE-----

..which certificate am I missing here?

Improve this question

2 Answers 2

Reset to default
1

It seems too much modification in the Certificate Store leads to a limbo state of the certificate-chain, which is not curable by restarting IIS. After a scheduled reboot on the server, all changes in the CA-chain became effective and since then it works as expected.

Improve this answer
0

The order needs to be 1) server CRT 2) Domain/EV/WildC CRT 3) 2nd CA

I just battled this problem (nogo on Chrome Android), here is how I fixed it with a domain certificate.

unzip the zip file I got in my email

unzip www_mysite_com.zip

Create a certificate bundle with all the CA's but skipping the root COMODORSAAddTrustCA.crt

cat www_mysite_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > www.mysite.com.bundle.crt

I'm using nginx so my crt line looks like: 

ssl_certificate /etc/nginx/ssl/www.mysite.com.bundle.crt;

Works great and I finally got chrome on Android to work.

Regards

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.