Security Certificate Warning in Android

[PCZero]

I have a GroTrust certificate on my server's main hostname. Wen I surf to https://hostname:2087 in my desktop browser I proceed with no issue. However when I surf to that address with my android device I get "The site's security certificate is not trusted" warning.

Is this the expected behavior? Why would an android device think that a GeoTrust certificate should not be trusted?

(Full Disclosure: I am near the end of a 14 hour coding session so I may be in stupid mode right now.)

 

[Jcats]

Does it show any issues here?

https://www.sslshopper.com/ssl-checker.html

Make sure to specify the :2087 at the end.

 

[PCZero]

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GeoTrust's Certificate Installation Instructions for your server platform (use these instructions for RapidSSL). Pay attention to the parts about Intermediate certificates.

EDITED - OK I found the instructions but they are for how to set up SSL when you initially do the installation. Somehow I missed this whole concept of an intermediate CA a year ago when I initially set this all up. Now I need to go back re-do things but use the Intermediate CA. I am bit leery of what to do at this point. Do I simply go into WHM and delete the current SSL info and reinstall? Truth be told I am not exactly what the exact steps would be to do this. Do I need to go into "SSL Storage Manager" and delete anything? Do I just (or at all) have to go into "Manage SSL Hosts" and delete the certificate there? Would I need to go into "Service Configuration" and do anything under "Manage Service SSL Certificates"? Any help you can provide would be greatly appreciated

Thanks!

 

[cPanelMichael]

Hello

You can simply reinstall the certificate via "WHM >> Manage Service SSL Certificates", including the CABundle this time. You should not have to delete the certificate before doing this.

Thank you.

 

[PCZero]

I am about to run the reinstall, however when I go into the install SSL section of WHM and pull up the existing certificate under Apache all goes well UNTIL I paste in the CA Bundle form the site mentioned above. When i do that I get this error "The CA bundle does not match the certificate." Is that to be expected?

 

[PCZero]

OK I was trying to use the RSA SHA-1 SSL Certificates CA bundle
and got that error. When I use the RSA SHA-2 (Under SHA-1 Root) SSL Certificates CCA Bundle I get to error when it is pasted. I went ahead and reinstalled with that CS Bundle and the certificate warning situation still exists.

 

[cPanelMichael]

I went ahead and reinstalled with that CS Bundle and the certificate warning situation still exists.

Could you send me the URL in a private message so I can verify the specific warning message that appears?

Thank you.

 

[PCZero]

Um yeah but I'm not sure how to do that. is that what the 'start a conversation' feature is?

 

[cPanelMichael]

The following third-party URL offers some explanations on why the certificate is trusted everywhere except for your Android device:

http://stackoverflow.com/questions/13862908/ssl-certificate-is-not-trusted-on-mobile-only

Thank you.

 

[PCZero]

Thank you for that link. I may have missed something but it looks like that eventually only lops back to the info that jcats provided in his initial reply. I under (kind of anyway) the cause, I have no idea at all how to resolve he issue based on what I was able to read. The page you sent me to was a bit confusing (my dyslexia is pretty bad right now) so i was not able to see if it offered an actual fix. Did that page say that I need to install a second certificate of some sort and arrange them in a specific order? I THINK I read a reply to that effect but it was not clear and the instructions on how to accomplish that wee not present. Can you offer additional advice please?

BTW did you get the private message I sent with the requested info?

 

[PCZero]

I am using the correct CA off of the RapidSSL site. The checker listed in the initial response and the one at the Geo site show no errors in the certificate.

 

[PCZero]

I just ran the SSL checker on the server in question and got the following warning. Is this a current issue that I need to address?


Warnings
BEAST
The BEAST attack is not mitigated on this server.
RC4
This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.

 

[PCZero]

OK I just noticed something.

Using the SSL Checker - SSL Certificate Verify page for testing returns the following...

https://blah.mydomain.com -> no errors or warnings...
https://blah.mydomain.com:2087 -> the warning message

"

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GeoTrust's Certificate Installation Instructions for your server platform (use these instructions for RapidSSL). Pay attention to the parts about Intermediate certificates."

is displayed.

Do I need to do something to specifically add the certificate to the WHM, cPanel, and WebMail ports?

 

[PCZero]

Thank you to everyone here who chimed in. I have this resolved. After thinking over the issue a bit and typing in my last question, I went into WHM -> Service Configuration -> Manage Service SSL Certificates and reinstalled the certificate with the new CA bundle. All works fine now.

 

[PCZero]

I came back to post a tad bit more info. While I have resolved the initial warning issue, I do still have some concern over the BEAST problem. I have little knowledge at all of this situation and I have no idea at all if it is still relevant and/or something that a server owner should be concerned with to any degree. Any input on this topic would be greatly appreciated.

 

[Infopro]

There's multiple threads found on the forums searching for the term: Beast TLS Vulnerability

HTH!

 

[PCZero]

My search only found two and neither gave a definitive answer as to what the level of concern should be and how to resolve the issue if need be. Perhaps my search parameters were too strict. I'll try again.

 

[PCZero]

OK I found a few more instances of this discussion but the one that seems to have a fix is several years old. It states the following...


"I believe the following should work properly but have not had specific confirmation back from clients who had it flagged on their PCI scans:

In WHM >> Apache Configuration >> Global Configuration:
Change "SSL Cipher Suite" to the custom field and enter:
"ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"

In WHM >> Apache Configuration >> Include Editor:
Add "SSLHonorCipherOrder On" to Pre VirtualHost Include - All Versions

Tony Kammerer - Senior Admin, United Communications Ltd.

Beast TLS Vulnerability


When I looked at the settings for the server in question, the first parameter is currently set to:
"ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP"

The second is empty.

Are the suggested settings still valid and suggest as the fix for this issue?

 

[PCZero]

Last post for now... I went ahead and made the changes suggest in the above referenced post. That got rid of the BEAST warning bu the RC4 warning remains. Questions are as follows...

1) To get rid of the RC4 warning do I simply need to remove change the first setting to this (removed RC4)...
"ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH"

2) Is there anything I should be ware of with making these changes, IOW are there consequences of making thee changes other than eliminating the warnings that I am getting when running the tests?

Thanks...

 

[cPanelMichael]

Hello

There's some information about RC4 vs BEAST at:

Security Labs: Configuring Apache, Nginx, and O... | Qualys Community

Thank you.