When testing https://blendbee.com with a valid PositiveSSL certificate, I noticed platform-specific validation behavior:

• Windows Chrome: Green lock icon (proper chain validation)
• Android Chrome: Red warning with NET::ERR_CERT_AUTHORITY_INVALID

The server environment consists of:

OS: Ubuntu 13.10
Hosting: Digital Ocean
Webserver: (Assuming) Nginx/Apache
Certificate: PositiveSSL (SHA-256)

The most common culprit is incomplete certificate chain configuration. Let's verify using OpenSSL:

openssl s_client -connect blendbee.com:443 -servername blendbee.com -showcerts

Expected output should show three certificates:

1. Your domain certificate
2. Intermediate CA certificate
3. Root CA certificate

Android has stricter requirements for certificate chains. The PositiveSSL intermediate must be properly installed. For Nginx:

ssl_certificate /path/to/domain_cert_plus_intermediate.crt;
ssl_certificate_key /path/to/private.key;
ssl_trusted_certificate /path/to/root_ca.crt;

Create a proper bundle file:

cat domain.crt intermediate.crt root.crt > fullchain.crt

For deeper diagnostics, connect an Android device and run:

adb logcat | grep -i cert

Look for validation errors in the system logs. Common flags include:

• CertPathValidatorException
• UnknownTrustAnchor
• ChainValidationFailed

Check your SSL configuration with these tools:

# Using testssl.sh
./testssl.sh -U blendbee.com

# Using SSL Labs API
curl https://api.ssllabs.com/api/v3/analyze?host=blendbee.com

1. Intermediate Certificate Fix:

# For Apache
SSLCertificateFile /path/to/domain.crt
SSLCertificateChainFile /path/to/intermediate.crt

# For Nginx
ssl_certificate /path/to/combined.crt;

2. Root Certificate Update:

Ensure your server has up-to-date CA bundles:

sudo apt-get install ca-certificates
sudo update-ca-certificates

3. Protocol Configuration:

# Modern SSL configuration for Nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';

After making changes, verify with:

openssl verify -CApath /etc/ssl/certs/ -verify_hostname blendbee.com fullchain.crt

Cross-check with multiple Android devices of different OS versions, as trust stores vary between Android 8.0+ and older versions.

---

When testing https://blendbee.com across platforms, I discovered an inconsistent behavior:

Windows Chrome (v97+): ✅ Valid (green lock)
Android Chrome (v98+): ❌ Untrusted (red warning)

First, let's verify the certificate chain using OpenSSL:

openssl s_client -connect blendbee.com:443 -servername blendbee.com | 
openssl x509 -text -noout

Common findings when Android rejects valid certificates:

• Missing intermediate certificates
• SHA-1 signature in chain (deprecated since Android 7+)
• System clock desync on Android device

For Ubuntu servers running Apache, ensure your SSLCertificateFile includes intermediates:

<VirtualHost *:443>
    SSLCertificateFile /etc/ssl/certs/blendbee.crt
    SSLCertificateKeyFile /etc/ssl/private/blendbee.key
    SSLCertificateChainFile /etc/ssl/certs/intermediate.crt
</VirtualHost>

For Nginx users:

ssl_certificate /etc/ssl/certs/blendbee_with_chain.crt;
ssl_certificate_key /etc/ssl/private/blendbee.key;

Try these debugging steps on the Android device:

1. Clear Chrome's cache: chrome://settings/clearBrowserData
2. Verify system date/time is correct
3. Test with Firefox for Android to isolate Chrome-specific issues

Proper certificate concatenation for PositiveSSL:

# Create bundled file
cat blendbee.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > bundle.crt

The chain should follow this order:

1. Domain certificate
2. Intermediate certificate
3. Root certificate

Use SSL Labs' API for comprehensive testing:

curl -X GET "https://api.ssllabs.com/api/v3/analyze?host=blendbee.com"

Look specifically for these Android-related flags:

"android4_4": {"grade": "A"},
"android10": {"grade": "A"}