Information Security
tls certificates android letsencrypt
Updated Sat, 18 Jun 2022 08:15:51 GMT

Why does Samsung Android browser say our site has a valid certificate, but the site identity has not been verified?


Our website using Let's Encrypt through Nginx is all green on SSLLabs test (A- score).

But on one Android phone it accepts the certificate and sees the trust chain up to the root certifying authority, but still says the site isn't fully trusted:

Picture of a popup saying "ekaya.vip" The identity of this website has not been verified. etc.

here's the certificate info:

Information of the certificated used by the "ekaya.vip" website

How do we fix this?


Partial quote of the text in the first image:

The identity of this website has not been verified. The identity of the server to which you are connected cannot be fully validated. You are connected to a server using a name valid only within your network, and an external certificate authority has no way to validate ownership.

Browser is Samsung 'Internet' version 3.5.38




Solution

I don't think you can do anything about it but to upgrade your Android.

The problem here is a generic top-level domain .vip and older Android versions do not recognise them as public (hence the "a name valid only within your network" message). It's a known problem and Wikipedia lists it as one of the technical issues with these domains.

With Internet app version 4.0 on Android Marshmallow, your certificate is verified properly.


The Internet application is a component of Android, so it's not Samsung, but Google.