Mobile app version of vmapp.org
Login or Join
Gretchen104

: Comodo SSL Certificate showing as invalid on Android Devices I run a website where I have full cpanel and limited whm access. I recently upgraded one of my domains to include SSL (A first-time

@Gretchen104

Posted in: #Cpanel #Https #SecurityCertificate

I run a website where I have full cpanel and limited whm access. I recently upgraded one of my domains to include SSL (A first-time experience for me).

The certificates are installed in cpanel, and our happy little padlock is now displaying, this works perfectly on desktops (all browsers), iphones and some other phones, however a selection of Android devices are stating that the servers certificate is not trusted.

I've ran tests on:


Comodo
GeoCerts
SSLChecker
Symantec


Comodo's own checker is stating "No (self signed certificate in certificate chain)"

Geocerts is stating "A valid Root CA Certificate could not be located, the certificate will likely display browser warnings."

SSLChecker says the chain is fine.

Symantec says the chain is fine.

I've searched all over the net, one non-apache source says something about merging all of the .crt files into one and installing that on your server, but I'm not sure if that is relevent for apache servers as well?

I have, from COMODO:

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSAOrganizationValidationSecureServerCA.crt
mydomain.crt


I would love any help from people that know what they are talking about over me who is making this up as I go along :(

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Gretchen104

2 Comments

Sorted by latest first Latest Oldest Best

 

@LarsenBagley505

Simply, the problem here is that the certificate chains up to COMODO RSA Certificate Autority at the root, not to AddTrustExternalCARoot.
Android devices do not have the COMODO RSA Certificate Authority in their root stores, only AddTrustExternalCARoot.

If running IIS, you should go ahead and remove the COMODORSACertificateAutority in the root store on the web server, and insted place this in the intermediate store.
On apache or others, you should set the chain correctly in the chain file.

10% popularity Vote Up Vote Down


 

@Radia820

Inspecting your SSL certification on your website I can confirm that you have used the correct files included in the zip file provided by Comodo,

For other readers, the Comodo SSL PositiveSSL/EssentialSSL, 2 files required by cPanel or WHM are:


example.crt (Main Cert)
COMODORSAOrganizationValidationSecureServerCA.crt (CABundle)
example.key (Key file, provided when you generated CSR)


Address issue, maybe...

However, while not a manger problem I'd thought I'd share with you my first findings that may cause slight weight in local rankings with some major search engines, mainly Google, after all since your using SSL I'm guessing one of your reasons for this was the SEO benefits, anyhow...

[]

If you didn't know already Google uses local SEO Algorithm that differs from their normal organic rankings. One of the most important local seo factors is NAP consistency, and if you look at the image above you can see that the address on Google, is not an exact match, while we can't say for sure that, Google cares about the address matching in the SSL we do now that NAP consistency everywhere else is important, since this is within your control its an easy fix.

I recommend that you recreate your signing request, follow my blog article if you need a reminder how, step 1 (since rest is WHM related). Also, I'd remove the UNIT name as 'training' since unless this is registered in the address, or somewhere else a limited registration on gov.uk then leave it out, only use the UNIT if the organisation is huge.

If the SSL has the correct details but Google is incorrect then I recommend that you correct this, again consistency is key, ensure that all your citations are a exact match. Also, try avoiding missing out the LTD in the company name on external sites, and don't forget to check your NAP consistency on the limited company registrar at gov.uk/business since this citation will hold a lot of weight. Ideally, the NAP should the full name of the business including the LTD in the name, and the address registered on Royal Mail and the main 'local' phone number.

Anyhow, this is about the SSL not local SEO so enough said, lets move on...

Main Issues with the SSL CERT

Currently you have some major server-side issues that need address, currently its pointless having the SSL with the exploitable vulnerabilities the server has, these are following points:


This server supports anonymous (insecure) suites (see below for details). Grade set to F.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B.
This server accepts the RC4 cipher, which is weak. Grade capped to B.
The server does not support Forward Secrecy with the reference browsers.


These may be causing the issue on the Android, but if not, they must be addressed. It's pretty common that web hosting companies are lazy when it comes to patching against SSL, in fact I regularly encounter it weekly, if you have problems, find a new host, its not acceptable, security is one of the most important features of a web host. Do, not settle for anything other than a grade A- or A+ by Qualys Labs SSL Checker.

If fixing the above doesn't resolve the issue then its likely because of the SSL CERT itself, on an older Android phone, since not all SSL CERTS are the same, some support more phones/computers and different OS's. Generally the more expensive the SSL the better compatibility, through I've never experienced a problem with Android even when using cheap SSL's.

Personally, I'd fix the mentioned problems, then test it but make sure you test it on more than one Android, and if possible get the Android version, since these differ majorly in terms of browser support.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme