4

I bought Comodo SSL from Namecheap. Now, the SSL works fine on desktop, I am getting a "This Connection is not private" on mobile phone.. on my chrome on Android

Here is my virtual host file:

server {
       listen         80;
       server_name    www.-------------.com;
       return         301 https://www.-------------.com$request_uri;
}

server {

    listen 443 ssl;

    root /var/www/-------------.com/html;
    index index.html index.htm;

    ssl_certificate /etc/nginx/ssl/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/navarrarpg_com.key;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_prefer_server_ciphers on;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    server_name www.-------------.com;

    location / {
        try_files $uri $uri/ =404;
    }
}

Here are the four files I recieved:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • -------------_com.crt

Of course, I then used the command to bundle them all up nicely to get the bundled certificate plus the key using the other command.

Now, when I go to https://www.digicert.com/help/ and I type in my address... it says that I installed it correctly.

I checked out my cert installation to make sure I got the chain right:

  • Comodo RSA Certification Authority
    • Comodo RSA Domain Validation Secure Server CA
      • -------------.com

I used the following command:

cat -------------_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

from this guide: https://gist.github.com/bradmontgomery/6487319 to get the ssl bundle cert.

Why isn't my website showing up securely on my Android mobile but is on my desktop?

I get NET::ERR_CERT_AUTHORITY_INVALID error on my phone

test
  • 167
  • 1
  • 8

2 Answers2

4

One of the certs in the chain ending with AddTrust External CA Root (02faf3e291435468607857694df5e45b68851868) is missing from what your server provides.

Specifically the intermediate cert COMODO RSA Certification Authority (f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0) is not included in what you serve.

What can also be seen is that the actual anchor is unnecessarily included instead. Maybe those two certificates were somehow switched up?

See eg SSL Labs Report

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90
  • I thought I followed all of the neccessary steps... you are saying I missed typing when using `cat` command? I am sure I included all of the required files.... What is the correct procedure? – test Jun 18 '15 at 05:49
  • @DanJ. Either you made a mistake or the CA made a mistake in what certificates they handed to you. – Håkan Lindqvist Jun 18 '15 at 05:50
  • Am I going to have to do the `ssl bundle` thing again using `cat`? Beacuse I remember including `AddTrust External CA Root` and `COMODO RSA Certification Authority`... hmm.. I see. – test Jun 18 '15 at 05:53
  • 2
    https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/1/which-is-root-which-is-intermediate may be of use – Håkan Lindqvist Jun 18 '15 at 05:57
0

I recently had the same issue with the namecheap/comodo certs! (but omg $1.99)

Turns out it just took a long time to propagate(?).. idrk how ssl certs are verified.

All desktop browsers worked fine, safari mobile was good, even tor browsers liked them, but chrome mobile was giving me issues saying that the certificate wasn't signed by a verified person..

checkout my chain https://kek.host

A couple hours later (much longer than the other browsers) I got the green bar in chrome mobile :)

kekhost
  • 9
  • 1
  • 1
    You have the same kind of incomplete certificate chain as the site in this question. I would expect that to be the cause, and it getting "fixed" for you (for your specific client) after having visited some properly set up site with the same intermediate certificates (so that the cert ended up in the local cache). I don't even know what it would be that "propagates" in this scenario. – Håkan Lindqvist Jun 18 '15 at 16:45
  • hmm, could you be more specific in where mine is incomplete? `AddTrust > COMODO RSA CA > COMODO RSA DVSSCA > kek.host` is what I see, sure I've got RC4 Cipher issues and don't support a few things but it's all valid. – kekhost Jun 19 '15 at 00:32
  • Your server does not send the *COMODO RSA Certification Authority* (`f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0 `) intermediate certificate. – Håkan Lindqvist Jun 19 '15 at 07:40