0

I have a digitalocean server (ubuntu 16.4 nginx) + serverpilot I installed letsencrypt Following the site tutorial: https: //www.robertwent.com/blog/using-letsencrypt-serverpilot/

Everything worked out, the result was this: https://testelcon2.tk

The problem: The site works with ssl installed on all desktop browsers However, in mobile android browsers it does not work. The error message I receive is a red padlock and the message: NET: ERR_CERT_DATE_INVALID

I tested other sites I found on the internet to see if the problem was only with my site, and they all work normally in my mobile browser (crome, safari and native browser)

I am 4 days trying to solve this problem, but without success. What could be happening? What did I do wrong? Can someone check for me? https://www.ssllabs.com/ssltest/analyze.html?d=testelcon2.tk https://www.sslshopper.com/ssl-checker.html#hostname=https://testelcon2.tk

Luiz Stelzer
  • 69
  • 1
  • 9
  • Probablybetter asking on [Information Security](https://security.stackexchange.com/). – zaph Nov 10 '17 at 22:49

3 Answers3

1

There ia a known issue in Android 7.0 with HTTPS connections regarding elliptic curves. If the problem occours only on Android 7.0 devices (the bug only exists in this version) it's probably it.

The easiest workaround is to configure the server to use prime256v1 ellipitic curve. If you use nginx just set

ssl_ecdh_curve prime256v1;

I know your error message doesn't suggest anything to do with ellipitic curves but I was stuck with this problem in React Native getting a missleading error message and only changing the elliptic curve setting in my server solved it so maybe it can help you.

This answare explains the issue much better than myself.

Daniel
  • 597
  • 6
  • 15
0

Actually it's more likely to be a ssl_ciphers server-side settings problem.

Change your ssl_ciphers settings on nginx to the one recommended by openHab :

ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;

Don't forget to reload (systemctl reload nginx) and now all problematic android devices should work just fine.

lapin
  • 2,098
  • 2
  • 21
  • 30
0

I've noticed older versions of Android have problem with Let's Encrypt certificates, in my case they evidently do not trust Internet Security Research Group and require presence of other authority(ies) in the chain. Use openssl s_client -connect [domain]:443 -prexit to inspect the chain in case the problem is for older versions of android and it works only with certain sites that use Let's encrypt. Example output for a working domain I've tested:

CONNECTED(00000184)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.seznam.cz
verify return:1
---
Certificate chain
 0 s:CN = www.seznam.cz
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Both use Let's Encrypt, but my domain does not have Digital Signature Trust.

The best way of inspecting a domain wrt. various devices is

https://www.ssllabs.com/ssltest/analyze.html

Jiří
  • 415
  • 6
  • 16