Nathan485
By:
Nathan485

SSL Certificate issues only on Android Chrome?

August 26, 2015 3.3k views
Security Apache

So I installed a SSL certificate on a subdomain and everything worked fine for desktop Chrome and IE but when I use android chrome I get the following error...
ERRCERTAUTHORITY_INVALID

Looking at the certificate it appears to only have only 1 certificate, the website's, but not the root or intermediate. It is a class 1 certificate from StartSSL and this is my ssl virtual host config for my subdomain

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/apache2/ssl/cloud/ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/cloud/private.key
SSLCertificateChainFile /etc/apache2/ssl/sub.class1.server.ca.pem

5 Answers

Hello and welcome to Digitalocean

Here you go :

cd /etc/apache2/ssl/cloud/
wget https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem
cat ssl.crt sub.class1.server.sha2.ca.pem > ssl_unified.crt

Now your new Apache2 Configuration :

SSLEngine on
# Please no SSLv3
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/apache2/ssl/cloud/ssl_unified.crt
SSLCertificateKeyFile /etc/apache2/ssl/cloud/private.key

Restart Apache2

PS I would recommend a better Cipher Suite:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  • Still getting the same issue when I try combining the files. When I run a test at SSL LABS it says only 1 certificate is provided. It lists 2 chains and for both it has extra download next to the intermediate and for the root as already being in the datastore. How do I make it so that all 3 certificates are provided by my server as I read that android chrome tends to work differently with root certificates.

@Nathan485 could you reboot your Droplet and provide me your Domain Name ?!

PS: You done everything right as we "installed" the correct chain.

@Nathan485 could you try this configuration ?

SSLEngine on
# Please no SSLv3
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLCertificateFile /etc/apache2/ssl/cloud/ssl_unified.crt
SSLCertificateKeyFile /etc/apache2/ssl/cloud/private.key
SSLCertificateChainFile /etc/apache2/ssl/cloud/sub.class1.server.sha2.ca.pem

Restart Apache2

Normally you don't need to do this after a Certificate merge. If it is still not working, reinstall Apache2.

  • Yeah, unfortunately it still does not work. Keep in mind that all the ssl config is on a virtual host config file, so I am not sure if that might have something to do with it. I have two folders for my subdomains and each has their ssl.crt and private key with the intermediate and root in the main ssl directory, could that be an issue? Anyway, when I have more time tomorrow I will start over from scratch and see if I can fix it and I will update this thread. I really appreciate your help :)

Have another answer? Share your knowledge.