[floatingatoll]

The certificate is issued by Let’s Encrypt [2], and has a valid and correct intermediate chain from the server [1]. Have you knowingly altered your browser’s TLS security settings, or certificate root store settings (for example, to distrust X3), or are you running an especially old browser on an out-of-date platform? Being able to see a screenshot of which intermediate your browser is refusing to trust would be helpful [3]. (Unless you’re somehow being MITM’d, which can happen on some internet connections or with certain ‘security’ software on Windows or by mitmproxy left enabled, in which case the screenshot of the certificate chain will look nothing like Let’s Encrypt at all and help diagnose that too.)

[1] Normal LE: https://www.ssllabs.com/ssltest/analyze.html?d=www.mail-arch...

[2] Test site: https://valid-isrgrootx1.letsencrypt.org/

[3] In the developer console, there should be a security tab with a View Details button.

[_8j50]

I am using a mobile browser,it could be out of date but I didn't tinker with the network settings. I doubt only this site would get MITM'd. I will see if I can get more details from it.

Screenshot: https://i.imgur.com/JmdC8Yi.png

Now I get a MAC error insteaf of cert error

[floatingatoll]

I would say with near certainty that your issues stem from your OS/browser, or if you have any security apps installed, those could be at fault too (since they sometimes run network interception). You might test a browser that ships its own SSL stack (I believe Firefox Android does, though I’m not 100% certain) and see if it Just Works in that, but at the end of the day, I’d simply recommend backing up your data and settings, factory resetting the device and updating it to latest, and then restoring your data and settings — there’s far too many things that can go wrong, especially in rooted scenarios, and I don’t have the ability to triage and repair beyond highlighting the three possible vectors you could tackle exploring yourself.

[_8j50]

Not rooted,no security software, tried different browsers and I am using FF android on that screenshot.

Perhaps the stingrays are acting up this morning ;)

[floatingatoll]

I wish I knew how to diagnose SSL issues in Firefox Android in order to learn more about why you’re experiencing issues here. If you’re on cellular, try WiFi? Does it affect any other phones in your house? Etc.

[tialaramex]

The really labour intensive thing you could do goes like this:

1. Get a nice shiny modern Wireshark

2. Tell Firefox you want it to keep records of the session secrets that secure TLS. Set environment variable SSLKEYLOGFILE=/some/path/to/log/secret.keys

3. Packet capture the session you're interested in

4. Give Wireshark the packet capture (if not captured inside Wireshark itself) and the secret.keys

5. Now Wireshark can show the TLS session and you can see what went wrong in detail. So long as you didn't actually do anything secret you can give all these pieces to somebody else to look at.

6. Otherwise, after your investigation destroy the secret.keys and optionally the packet capture itself.

I've used this level of effort to show a customer that, contrary to what they believed they were not presenting the nice client certificate I'd issued them when connecting. It turned out to be a config difference between their staging and production systems or something. But they were absolutely insistent their software was being turned away despite using a client cert (we used mutual TLS) so it took posting a Wireshark capture proving otherwise to get them to actually investigate.