Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android) Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android) google-chrome google-chrome

Comodo SSL: ERR_CERT_AUTHORITY_INVALID on Chrome mobile and Opera mobile (Android)


For those interested here is how I solved the problem.

Problem: an intermediate Comodo certificate was missing in my certificate chain. My SSL certification authority (Gandi.net) was in charge of the relationship with Comodo and Gandi only gave me two certificates: a base certificate + an intermediate certificate. Both were in .pem format. I installed both and it was enough for almost any browser except for a couple of mobile browsers. Actually a Comodo intermediate certificate called "COMODO RSA Certification Authority" was missing.

Solution in 2 steps:

1) found the repository containing all the Comodo certificates here https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/620/0/which-is-root-which-is-intermediate. I copy pasted mine in .PEM format from this page https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/977/108/extended-validation-sha-2 (it is called "#intermediate1" here, not "COMODO RSA Certification Authority").

2) concatenated this new intermediate certificate with the first intermediate certificate I already had (called "#intermediate2" on the Comodo website) by putting this new certificate at the end of the first certificate. I did it this way:

-----BEGIN CERTIFICATE-----intermediate#2-----END CERTIFICATE----------BEGIN CERTIFICATE-----intermediate#1-----END  CERTIFICATE-----

Hope it will help !


I'm hosting my site on under nginx and I also had the same problem with my android application. The above accepted answer directed me to my solution:

When I got the certificate (my-domain.crt) I created a boundle crt file which was generated by combining my certificate with ComodoRSADomainCA and ComodoRSAAddTrustCA PEM content

cat my-domain.crt ComodoRSADomain.crt ComodoRSAAddTrustCA.crt > ssl-boundle.crt

When I linked ssl-boundle.crt to nginx then the clients didn't have any issues exchanging data. And also I got this nice result on ssllabs:

The happy score :)


The certificate chain is incomplete. The "extra download" prove it.

You must send the chain including the missing certificate indicated by ssllabs.

Note that the connexion work most of the time because browsers keep a cache on certificates.