Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)

android google-chrome ssl https ssl-certificate

15,998

Solution 1

For those interested here is how I solved the problem.

Problem: an intermediate Comodo certificate was missing in my certificate chain. My SSL certification authority (Gandi.net) was in charge of the relationship with Comodo and Gandi only gave me two certificates: a base certificate + an intermediate certificate. Both were in .pem format. I installed both and it was enough for almost any browser except for a couple of mobile browsers. Actually a Comodo intermediate certificate called "COMODO RSA Certification Authority" was missing.

Solution in 2 steps:

1) found the repository containing all the Comodo certificates here https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate. I copy pasted mine in .PEM format from this page https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/977/108/extended-validation-sha-2 (it is called "#intermediate1" here, not "COMODO RSA Certification Authority").

2) concatenated this new intermediate certificate with the first intermediate certificate I already had (called "#intermediate2" on the Comodo website) by putting this new certificate at the end of the first certificate. I did it this way:

-----BEGIN CERTIFICATE-----
intermediate#2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate#1
-----END  CERTIFICATE-----

Hope it will help !

Solution 2

I'm hosting my site on under nginx and I also had the same problem with my android application. The above accepted answer directed me to my solution:

When I got the certificate (my-domain.crt) I created a boundle crt file which was generated by combining my certificate with ComodoRSADomainCA and ComodoRSAAddTrustCA PEM content

cat my-domain.crt ComodoRSADomain.crt ComodoRSAAddTrustCA.crt > ssl-boundle.crt

When I linked ssl-boundle.crt to nginx then the clients didn't have any issues exchanging data. And also I got this nice result on ssllabs:

Solution 3

The certificate chain is incomplete. The "extra download" prove it.

You must send the chain including the missing certificate indicated by ssllabs.

Note that the connexion work most of the time because browsers keep a cache on certificates.

15,998

Julien Salinas

Hello, and welcome to my profile, After double-degreeing in business/engineering from Grenoble Graduate School of Business and Télécom Bretagne, I worked for several years for various big companies in technical positions. Today, I am a developer and I am very much customer-oriented. I specialize in Python/Django, Go, database, and Linux systems, but actually I think I am a so-called "Full Stack" developer and I am regularly using the Vue.js javascript framework for my frontends. I am trying to focus on both IT and business at the same time as much as possible. Here is a link to my personal website: https://juliensalinas.com Feel free to contact me, I would be pleased. Julien

Updated on September 20, 2022

Comments

Julien Salinas over 1 year

On some mobile browsers, like Chrome mobile for Android, I get a ERR_CERT_AUTHORITY_INVALID error when I am connecting to my https website. I do not have this problem on every mobile browsers (like Firefox) and there is no problem on PC.

My certificate is a Comodo Extended Validation certificate. I am contracting with Gandi.net, a french SSL certification authority and Gandi is in charge of getting the Comodo EV certificate and giving it to me. Gandi gave me a base PEM certificate + an intermediate PEM certificate. I installed both.

I did analyses on https://www.ssllabs.com/ssltest/analyze.html and it says "extra download" for one of the certificates (named "COMODO RSA Certification Authority") while I installed all the certificates I got from Gandi.

I tried to look into this thread but it did not help: SSL cert "err_cert_authority_invalid" on mobile chrome only

Does someone know what is wrong ? Thanks.