191

My site is working great over SSL in my desktops (chrome) I have a green lock near the address bar saying "Identity verified"

But using a mobile mobile browser (Chrome/Safari)I see the following message - "The identity of this website has not been verified" and the lock (in chrome near the address bar) has a red x mark on it Any idea why it happens?

Avi Zloof
  • 2,923
  • 4
  • 22
  • 28
  • Where did you purchase the SSL certificate? Verisign? Geotrust? – Black Frog Dec 13 '12 at 15:21
  • what certificate authority are you using? – Polyana Fontes Dec 13 '12 at 15:21
  • 8
    Our app uses a webview and several customers complained about this. The problem turned out to be that these customers' servers did not include the entire cert chain along with the server certificate. The root and intermediate CA's are both in Android's native trust store, but the browser is not smart enough to look them up if they are not presented by the server. Reformatting the server cert to include the entire chain including certificate bodies fixed the problem. I believe this is considered a "best practice" but I am not an expert. – tennessee sombrero May 17 '13 at 02:42
  • How did you solved it? – Tyler Durden May 23 '13 at 16:20
  • I had this problem also, I fixed it as did tennessee sombrero, it turned out I did not have a complete chain (I actually had half a chain left over from a previous cert authority, as well as a complete chain for the current cert - this was causing the problem!) The SSL Labs link in Tas Morf's answer is very useful. – Coder Apr 21 '14 at 10:54
  • 4
    One thing you should now: If your date/time is wrong, you will get this error, too. Especially when testing apps on an emulator, this error is casual. Set time and date manually, if the automatic sync doesn't work. – neonmate Jun 21 '15 at 13:26
  • @tennesseesombrero thanks a lot, I've found right direction because of your comment. Here's an online checker that for this particular issue https://whatsmychaincert.com - it also has chain & configuration generators. – Alex Lokk Jun 14 '16 at 21:52
  • try this : https://stackoverflow.com/a/38598593/2301721 – ashishdhiman2007 May 30 '17 at 10:06

2 Answers2

173

Put your domain name here: https://www.ssllabs.com/ssltest/analyze.html You should be able to see if there are any issues with your ssl certificate chain. I am guessing that you have SSL chain issues. A short description of the problem is that there's actually a list of certificates on your server (and not only one) and these need to be in the correct order. If they are there but not in the correct order, the website will be fine on desktop browsers (an iOs as well I think), but android is more strict about the order of certificates, and will give an error if the order is incorrect. To fix this you just need to re-order the certificates.

Tas Morf
  • 3,065
  • 1
  • 12
  • 8
  • 5
    Hello, when you say re-order as in change order? How? or placing the order with the signing authority again? Thanks – SergioM Jun 24 '13 at 06:18
  • 5
    Have a look at http://superuser.com/questions/347588/how-do-ssl-chains-work for more information on this... – Tas Morf Jul 03 '13 at 15:57
  • 1
    Did you ever find a fix for this? – Joel Murphy Nov 09 '13 at 11:52
  • 5
    @joelmurphy chances are you're missing the intermediate signing authority's certificate in your SSL cert chain, in my case I didn't bother to include it when I uploaded my cert and because it worked on a desktop I didn't think any more of it. My CA signing authority **did** send me a copy of it though – scrowler Jan 17 '14 at 01:21
  • 1
    for me, it was because my certificate was based off of GeoTrust Root CA, and older browsers (iPad2, Android Jelly-bean) do not consider GeoTrust a trusted Root CA. I had to install a Cross-Root CA Cert that chains the GeoTrust cert to the more commonly trusted Equifax Cert, as indicated here: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668 – jlee Mar 18 '15 at 20:49
  • Ok, that ssllab site is the ultimate SSL checker. God bless you for that. Thank you. – Niki Romagnoli Aug 04 '15 at 09:02
  • Thanks. Test in your link worked for me. – savepopulation Nov 11 '15 at 09:38
  • 11
    Here's an online checker that also generates correct chain of certificates http://whatsmychaincert.com Analyzer you provided haven't shown this issue explicitly. Though it shows a lot of other useful things, thanks. – Alex Lokk Jun 14 '16 at 21:54
  • In my situation: nginx. It only uses .key and .pem files for SSL. First you convert .crt to .pem (simply: cp yourfile.crt yourfile.pem) and then for the SSL cert chain: you append .cer file to the last of .pem (cat yourfile.cer >> yourfile.pem) – The Anh Nguyen Nov 21 '19 at 06:11
17

The most likely reason for the error is that the certificate authority that issued your SSL certificate is trusted on your desktop, but not on your mobile.

If you purchased the certificate from a common certification authority, it shouldn't be an issue - but if it is a less common one it is possible that your phone doesn't have it. You may need to accept it as a trusted publisher (although this is not ideal if you are pushing the site to the public as they won't be willing to do this.)

You might find looking at a list of Trusted CAs for Android helps to see if yours is there or not.

Fenton
  • 241,084
  • 71
  • 387
  • 401