0

I am hosting a website at https://www.tabletop.cloud

A while back I switched from the DST Root CA X3 root certificate to the ISRG Root X1 certificate. When I access my website in every browser the SSL certificate seems to be working as normal (see below images 1 & 2)

However, I have an iPad that is refusing to use the new certificate and for some reason is receiving a recently signed version of the DST Root CA X3 certificate. (See below image 3, screenshot taken with TLS inspector app)

I've checked if the iPad accepts other websites with the ISRG Root X1 certificate, and it does so without issue.

I've also tried deleting the certificates and letting acme.sh generate new ones from scratch. (However I did not delete the configuration files in /root/.acme.sh/tabletop.cloud because I was unsure if I could do so safely)

I am really confused because I did not think that it was possible to supply different SSL certs based on platform/browser(?).

I am using:

  • Apache 2.4.41
  • acme.sh for lets encrypt certificate requests

enter image description hereenter image description here enter image description here

Milan
  • 103
  • 3
  • 1
    At first glance I see that you server only sends the signed server certificate and not the intermediate / chain certificate(s). That might be the reason stuff breaks. Consider using the `fullchain` version in stead of only the certificate in your Apache SSL config – Bob Feb 21 '22 at 13:44
  • Interesting, I noticed this on the SSL Labs test. I'll try that out thanks! – Milan Feb 21 '22 at 15:07
  • @Bob You're a hero this fixed the issue! If you add it as an answer I will accept it when I can! – Milan Feb 21 '22 at 15:34

1 Answers1

1

Thank you for including your actual domain name. At first glance I see that you server only sends the signed server certificate and not the intermediate / chain certificate(s). That might be the reason stuff breaks.

Consider using the "fullchain" certificate bundle in your SSLcerificateFile instead of only the server certificate in your Apache SSL config, or alternatively add a SSLCertificateChainFile directive with the CA certificates that issued / signed your server certificate.

Bob
  • 5,805
  • 7
  • 25