18

On some mobile browsers, like Chrome mobile for Android, I get a ERR_CERT_AUTHORITY_INVALID error when I am connecting to my https website. I do not have this problem on every mobile browsers (like Firefox) and there is no problem on PC.

My certificate is a Comodo Extended Validation certificate. I am contracting with Gandi.net, a french SSL certification authority and Gandi is in charge of getting the Comodo EV certificate and giving it to me. Gandi gave me a base PEM certificate + an intermediate PEM certificate. I installed both.

I did analyses on https://www.ssllabs.com/ssltest/analyze.html and it says "extra download" for one of the certificates (named "COMODO RSA Certification Authority") while I installed all the certificates I got from Gandi.

I tried to look into this thread but it did not help: SSL cert "err_cert_authority_invalid" on mobile chrome only

Does someone know what is wrong ? Thanks.

Community
  • 1
  • 1
Julien Salinas
  • 1,059
  • 1
  • 10
  • 23

4 Answers4

12

For those interested here is how I solved the problem.

Problem: an intermediate Comodo certificate was missing in my certificate chain. My SSL certification authority (Gandi.net) was in charge of the relationship with Comodo and Gandi only gave me two certificates: a base certificate + an intermediate certificate. Both were in .pem format. I installed both and it was enough for almost any browser except for a couple of mobile browsers. Actually a Comodo intermediate certificate called "COMODO RSA Certification Authority" was missing.

Solution in 2 steps:

1) found the repository containing all the Comodo certificates here https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate. I copy pasted mine in .PEM format from this page https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/977/108/extended-validation-sha-2 (it is called "#intermediate1" here, not "COMODO RSA Certification Authority").

2) concatenated this new intermediate certificate with the first intermediate certificate I already had (called "#intermediate2" on the Comodo website) by putting this new certificate at the end of the first certificate. I did it this way: 

-----BEGIN CERTIFICATE-----
intermediate#2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate#1
-----END  CERTIFICATE-----

Hope it will help !

Julien Salinas
  • 1,059
  • 1
  • 10
  • 23
  • My advice: Always check your SSL set up at https://www.ssllabs.com/ssltest. And again after renewing certs. Spots errors like this and warns you of other potential security issues which can 1) affect the security of your traffic and 2) prevent errors in browsers who are (quite rightly IMHO) continually pushing better security settings all the time and giving warnings and in worst cases blocking sites which don't keep up. – Barry Pollard Apr 30 '16 at 09:48
  • Just wanted to say thanks. This response helped me out after a lot of frustration. – Jody Heavener Aug 30 '16 at 01:14
5

I'm hosting my site on under nginx and I also had the same problem with my android application. The above accepted answer directed me to my solution:

When I got the certificate (my-domain.crt) I created a boundle crt file which was generated by combining my certificate with ComodoRSADomainCA and ComodoRSAAddTrustCA PEM content

cat my-domain.crt ComodoRSADomain.crt ComodoRSAAddTrustCA.crt > ssl-boundle.crt

When I linked ssl-boundle.crt to nginx then the clients didn't have any issues exchanging data. And also I got this nice result on ssllabs:

The happy score :)

Community
  • 1
  • 1
RonzyFonzy
  • 698
  • 10
  • 16
3

The certificate chain is incomplete. The "extra download" prove it.

You must send the chain including the missing certificate indicated by ssllabs.

Note that the connexion work most of the time because browsers keep a cache on certificates.

Tom
  • 4,666
  • 2
  • 29
  • 48
  • Ok, but problem is I do not know how to get this certificate and how to install it – Julien Salinas Apr 24 '16 at 10:42
  • What server do you have ? The chain to provide to nginx and apache are different for example. – Tom Apr 24 '16 at 12:44
  • I have an Apache server – Julien Salinas Apr 24 '16 at 12:45
  • did you follow that: https://wiki.gandi.net/fr/hosting/using-linux/tutorials/ubuntu/ssl ? – Tom Apr 24 '16 at 14:00
  • Actually I am not hosted by Gandi but AlwaysData. I'm pretty sure my certificate installation is correct because in the past I had already installed a Gandi certificate on Alwaysdata and everything was fine. The only difference was that it was not a Comodo EV certificate... Thanks for the follow up ! – Julien Salinas Apr 24 '16 at 16:04
0

After creating the bundle if the problem persist,, in my case was some extra spaces at the end of .pem and Chrome show as un-secure and on Firefox works well. After i remove them everything goes ok, hope this help someone.

onalbi
  • 2,609
  • 1
  • 24
  • 36