Our website using Let's Encrypt through Nginx is all green on SSLLabs test (A- score).
But on one Android phone it accepts the certificate and sees the trust chain up to the root certifying authority, but still says the site isn't fully trusted:
here's the certificate info:
How do we fix this?
Partial quote of the text in the first image:
The identity of this website has not been verified. The identity of the server to which you are connected cannot be fully validated. You are connected to a server using a name valid only within your network, and an external certificate authority has no way to validate ownership.
Browser is Samsung 'Internet' version 3.5.38
I don't think you can do anything about it but to upgrade your Android.
The problem here is a generic top-level domain
.vip and older Android versions do not recognise them as public (hence the "a name valid only within your network" message). It's a known problem and Wikipedia lists it as one of the technical issues with these domains.
With Internet app version 4.0 on Android Marshmallow, your certificate is verified properly.
The Internet application is a component of Android, so it's not Samsung, but Google.
External links referenced by this document: