Why does Android Chrome say my site's security certificate is not trusted?

My site is https://blendbee.com. It's using a PositiveSSL certificate that is valid.

In Windows 8 Chrome the certificate is fine (green lock in top left corner).

But...on my Android, it's not so fine. Screenshot: http://postimg.org/image/6vc64lr1d/

Any ideas why?

The server is running Ubuntu 13.10 at Digital Ocean.

Solution 1:

You need to provide the entire certificate chain in order for it to show up as trusted.

Here's the link I got for comodo's instructions on installing the cert chain in apache: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/637/37/certificate-installation-apache--mod_ssl

I got this from http://www.sslshopper.com/ssl-checker.html#hostname=blendbee.com, which flagged your cert as not being trusted in all browsers because of an incomplete chain.

Solution 2:

A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.

You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.

You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver