SSL cert err cert authority invalid on mobile chrome only

Question

Domain   https   www amz2btc com  Analysis from SSL Labs   https   www ssllabs com ssltest analyze html d amz2btc com  All my desktop browsers open this fine   Mobile Firefox opens this fine   Only when I tried with mobile Chrome did I get the error   err cert authority invalid  I know very little about SSL  so I can t really make sense of the SSL report or why this error is coming up   If someone could ELI5  that would be ideal

User · Answer

I just spent the morning dealing with this. The problem wasn't that I had a certificate missing. It was that I had an extra.

I started out with my ssl.conf containing my server key and three files provided by my SSL certificate authority:

#   Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer

#   Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key

#   Server Certificate Chain:
SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem

#   Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem

It worked fine on desktops, but Chrome on Android gave me err_cert_authority_invalid

A lot of headaches, searching and poor documentation later, I figured out that it was the Server Certificate Chain:

SSLCertificateChainFile /etc/pki/tls/certs/AddTrustExternalCARoot.pem

That was creating a second certificate chain which was incomplete. I commented out that line, leaving me with

#   Server Certificate:
SSLCertificateFile /etc/pki/tls/certs/myserver.cer

#   Server Private Key:
SSLCertificateKeyFile /etc/pki/tls/private/myserver.key

#   Certificate Authority (CA):
SSLCACertificateFile /etc/pki/tls/certs/InCommonServerCA.pem

and now it's working on Android again. This was on Linux running Apache 2.2.

User · Answer

I solved my problem with this commands   cat   mydomain com crt   mydomain com ca-bundle  gt    mydomain com combine crt   and after   cat   mydomain com combine crt COMODORSADomainValidationSecureServerCA crt  COMODORSAAddTrustCA crt AddTrustExternalCARoot crt  gt  mydomain pem   And in my domain nginx  conf I put on the server 443   ssl certificate          ssl mydomain pem  ssl certificate key      ssl mydomain private key    I don t forget restart your  Nginx   service nginx restart

User · Answer

The report from SSLabs says     This server s certificate chain is incomplete  Grade capped to B           Chain Issues                  Incomplete   Desktop browsers often have chain certificates cached from previous connections or download them from the URL specified in the certificate  Mobile browsers and other applications usually don t   Fix your chain by including the missing certificates and everything should be right

User · Answer

A decent way to check whether there is an issue in your certificate chain is to use this website   https   www digicert com help   Plug in your test URL and it will tell you what may be wrong  We had an issue with the same symptom as you  and our issue was diagnosed as being due to intermediate certificates      SSL Certificate is not trusted      The certificate is not signed by a trusted authority  checking against   Mozilla s root store   If you bought the certificate from a trusted   authority  you probably just need to install one or more Intermediate   certificates  Contact your certificate provider for assistance doing   this for your server platform

User · Answer

I hope i am not too late  this solution here worked for me  i am using COMODO SSL  the above solutions seem invalid over time  my website lifetanstic co ke  Instead of contacting Comodo Support and gain a CA bundle file You can do the following   When You get your new SSL cert from Comodo  by mail  they have a zip file attached  You need to unzip the zip-file and open the following files in a text editor like notepad   AddTrustExternalCARoot crt COMODORSAAddTrustCA crt COMODORSADomainValidationSecureServerCA crt   Then copy the text of each   crt  file and paste the texts above eachother in the  Certificate Authority Bundle  optional   field   After that just add the SSL cert as usual in the  Certificate  field and click at  Autofil by Certificate  button and hit  Install    Inspired by this gist  https   gist github com ipedrazas 6d6c31144636d586dcc3

User · Answer

I had this same problem while hosting a web site via Parse and using a Comodo SSL cert resold by NameCheap   You will receive two cert files inside of a zip folder  www yourdomain com ca-bundle www yourdomain com crt  You can only upload one file to Parse  Parse SSL Cert Input Box  In terminal combine the two files using   cat www yourdomain com crt www yourdomain com ca-bundle  gt  www yourdomain com combine crt   Then upload to Parse  This should fix the issue with Android Chrome and Firefox browsers  You can verify that it worked by testing it at https   www sslchecker com sslchecker

User · Answer

Just do the following for Version 44 0 2403 155 dev-m  Privacy -- Content settings -- Do not allow any site to run JavaScript  Problem Solved

User · Answer

if you re like me who is using AWS and CloudFront  here s how to solve the issue  it s similar to what others have shared except you don t use your domain s crt file  just what comodo emailed you   cat COMODORSADomainValidationSecureServerCA crt COMODORSAAddTrustCA crt AddTrustExternalCARoot crt  gt  ssl-bundle crt   this worked for me and my site no longer displays the ssl warning on chrome in android

User · Answer

I had the same probleme but the response made by Mike A helped me to figure it out  I had a my certificate  an intermediate certificate  Gandi    an other intermediate  UserTrustRSA  and finally the RootCA certificate  AddTrust    So first i made a chain file with Gandi UserTrustRSA AddTrust and specified it with SSLCertificateChainFile  But it didn t worked   So i tried MikeA answer by just putting AddTruct cert in a file and specified it with SSLCACertificateFile and removing SSLCertificateChainFile But it didn t worked   So finnaly i made a chain file with only Gandi UserTrustRSA specified by SSLCertificateChainFile and the other file with only the RootCA specified by SSLCACertificateFile and it worked       Server Certificate  SSLCertificateFile  etc ssl apache myserver cer      Server Private Key  SSLCertificateKeyFile  etc ssl apache myserver key      Server Certificate Chain  SSLCertificateChainFile  etc ssl apache Gandi UserTrustRSA pem      Certificate Authority  CA   SSLCACertificateFile  etc ssl apache AddTrust pem   Seems logical when you read but hope it helps

User · Answer

For those having this problem on IIS servers   Explanation  sometimes certificates carry an URL of an intermediate certificate instead of the actual certificate  Desktop browsers can DOWNLOAD the missing intermediate certificate using this URL  But older mobile browsers are unable to do that  So they throw this warning   You need to  1  make sure all intermediate certificates are served by the server  2  disable unneeded certification paths in IIS - Under  Trusted Root Certification Authorities   you need to  disable all purposes  for the certificate that triggers the download   PS  my colleague has wrote a blog post with more detailed steps  https   www jitbit com maxblog 21-errcertauthorityinvalid-on-android-and-iis

User · Answer

I also had a problem with the chain and managed to solve using this guide https   gist github com bradmontgomery 6487319

User · Answer

I guess you should install CA certificate form one if authority canter   ssl trusted certificate             ssl SSL CA Bundle pem

[google-chrome] SSL cert "err_cert_authority_invalid" on mobile chrome only

Examples related to google-chrome

Examples related to ssl

Examples related to certificate

Examples related to ssl-certificate