Encryption Everywhere DV TLS CA - G1 intermediate CA not trusted?

I’m hosting some (non-commercial) websites and -services secured with a DigiCert TLS certificate.
With /e/ Android 9, there was no problem with the certificates, but since I have updated to /e/ Android 10, they are not trusted any more in apps like Firefox and Nextcloud and the connection is considered not secure.
On PCs, there are also no problems with the certificates.

The root CA is identical to the one used by wikipedia.org, but the intermediate CA “Encryption Everywhere DV TLS CA - G1” is different, so I guess it is maybe not installed/trusted in the current /e/ Android 10.
Is this correct and what could be the reason? Is there a possibility to install/trust the intermediate CA on the phone (Fairphone 3)?


Regain your privacy! Adopt /e/ the unGoogled mobile OS and online servicesphone

do you deliver the intermediate in the certificate bundle serverside?

You can PM me the domain and I debug if you want

I think the server hands out only the certificate: https://luniks.net

yes it’s missing. Just cat the cert chain together and offer it in the ssl_certificate path you give nginx. Ordering is as http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

the primary certificate comes first, then the intermediate certificate(s)

and debug again with https://www.ssllabs.com/ssltest/

1 Like

Great, thanks a lot already! I’ll try that asap…

That indeed solved it. Now I am just wondering, why it worked with /e/ Android 9 and why it also works with browsers on a PC… but anyway, it seems a good idea or even necessary to include the intermediate CA.

And obviously, there is no issue with /e/ :blush:

when it does work, the browser already saw the intermediate previously from another site. I had it already on both mobile browsers when I checked. Curl is a good sanity test then - Preloading Intermediate CA Certificates into Firefox - Mozilla Security Blog

great photographs on your site, along the Escaut channel - looks nice!

1 Like