Recently one of our users complained that he couldn't access our site on his Android phone.
He was getting an ERR_CERT_AUTHORITY_INVALID error in Chrome browser on his phone, but it was fine on his desktop and other devices. It took us a while to figure out the issue, so I decided to share the solution.
Our servers are running on IIS 8 on Windows Server and the user's phone is running on Android 4.1.2. It is a pretty old version of Android and I do not know for sure what other versions are affected, but I'm fairly certain it is anything up to 4.2.
You can use SSL Labs to find out if your server is affected. Enter your URL, wait for it to build the report and then scroll down to "Certification Paths". If you see "Extra download" in there you are probably affected.
This is an issue with your certification chain. To put it simply, whenever you visit an "https://" site, your browser requires not only your certificate but also all other certificates in the chain. Namely root and intermediate certificates of your SSL provider.
Usually, your web-server serves the whole chain. But even if the supplied chain is incomplete or has other issues, most desktop and mobile browsers can figure it out themselves by downloading missing certificates and putting them in the correct order in the chain.
Old versions of Android, however, are pickier and require a correct chain to be supplied from a server.
Obviously you need to install the missing certificates on the server, BUT this can result in multiple "certification paths" and you STILL might be getting the "extra download"
In our case, the issue was that IIS supplied an extra unneeded certificate in the chain. So the solution on Windows Server IIS is to simply disable it.
Go back to the SSL Labs report and find the certificate that requires extra download and remember its name. Now go to certmgr.msc on your server, toggle ‘Trusted Root Certification Authorities' and locate that certificate in the list. In our case it was called COMODO RSA Certification Authority. Right-click it and choose "Properties" and set it to "Disable all purposes for this certificate".
Deleting the certificate won't work, because Windows will auto download it again. Just disable all purposes. You will need to reboot your server. Restarting IIS won't be enough.