What is wrong with my SSL trust chain?
The SSL cert for my site, https://www.snipsalonsoftware.com/, doesn't work on Android. In troubleshooting this problem I've plugged my site into the Qualys SSL Labs testing tool:
https://www.ssllabs.com/ssltest/analyze.html?d=www.snipsalonsoftware.com&s=50.57.181.104
This report seems to tell me that I have "chain issues". Something is "incomplete". But I'm having trouble understanding exactly what is incomplete.
In the next section, under "Certification Paths", I see in orange (and I'm guessing orange means "kinda bad") "Extra download". I have no idea what this means or how to fix it. I found this thread, but I can't tell how to translate what they're saying into a solution for me.
What should I do?
You have configured your server to only send the certificate to browsers. For most desktop browsers, this is fine because they already contain a whole lot of intermediate and root CA details, so they can construct the chain of trust easily. For most mobile browsers you generally need to provide the entire certificate chain, i.e. your own certificate, that of the issuing CA and any intermediates that might exist between that and the ultimate root CA. The mobile device will likely have the root CA details only in this scenario.
For you specific cert, you can read this Comodo helpdesk article: Knowledgebase : Comodo Certification Authority > Certificates > SSL > Certificate Installation
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver