Archive for January, 2016

Posted by keith.wirch at January 9, 2016

Category: Uncategorized

Being super pumped for the new Lets Encrypt project, I signed up for it shortly after beta and started using it some production web servers.  As of this posting, I haven’t done on this web server… obviously.  But I should do that soon.  A couple customers use Owncloud and DAVdroid to sync their files with works great but they kept getting this error message on their phones.


Well that got really annoying quick and many times caused syncing to fail. People got mad… I got called… meh.  IT Happens.

Seems there is an X1 chain of certificates that is not trusted or a link in the chain is just unknown to android.  To fix this, we just need to add a link in the chain to let it know.  Full disclosure though, I did not think of this on my own.  I found the answer on this page.

The error appears in Firefox it seems for the same reasons.  The last post in the thread shows you need to do.  Those of you with Nginx should be able to do something similar but this was the solution for me with all my Apache Servers.  Where is solution from the last post in the thread.

cd /etc/letsencrypt/archive/yourdomain/
nano Apache config file:/etc/apache2/mods-available/ssl.conf
# add SSLCertificateChainFile "/etc/letsencrypt/archive/yourdomain/lets-encrypt-x1-cross-signed.pem" to the config file before </IfModule>
# exit and save restart Apache

This will give whatever client, be it Firefox or DAVdroid, the links in the certificate chain to trust the certificate.  I’m not an expert in certificates but I am assuming this is a short lived bug in the project.

Props to the Lets Encrypt Project and it’s sponsors for this.  This is huge and will change the internet for the better.