When your SSL certificate works on desktop browsers but fails on Android devices, you're likely dealing with chain trust issues. The SSL Labs report clearly shows "Extra download" warnings for www.snipsalonsoftware.com, indicating missing intermediate certificates in the trust chain.
Here's what a proper chain should look like:
-----BEGIN CERTIFICATE----- (Your domain certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate CA certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root CA certificate) -----END CERTIFICATE-----
Android devices maintain their own trust stores, and if any intermediate certificate is missing from your server's configuration, Android won't be able to build the complete trust chain. The "Extra download" warning means the client has to fetch missing certificates separately.
For Apache servers, ensure your SSLCertificateFile includes the full chain:
SSLCertificateFile /path/to/your_domain.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/intermediate.crt
For Nginx, concatenate certificates:
ssl_certificate /path/to/combined.crt; # domain + intermediates ssl_certificate_key /path/to/your_private.key;
Use OpenSSL to test your configuration:
openssl s_client -connect www.snipsalonsoftware.com:443 -showcerts
This should display the complete certificate chain including all intermediates.
1. Wrong certificate order in bundled files
2. Including root certificates (not needed)
3. Forgetting to restart the web server after changes
After fixing the chain, re-test with SSL Labs and verify Android compatibility. Proper chain configuration should eliminate both the "Extra download" warning and Android trust issues.
When analyzing https://www.snipsalonsoftware.com through Qualys SSL Labs, the "Extra download" warning in the Certification Paths section indicates missing intermediate certificates. This is particularly problematic for Android devices which maintain stricter certificate validation than desktop browsers.
The web server is likely only sending the end-entity certificate (your domain certificate) without including the necessary intermediate certificates in the chain. Android devices don't automatically fetch missing intermediates, resulting in validation failures.
# Example of incomplete chain (what NOT to do)
SSLCertificateFile /path/to/domain.crt
# Missing SSLCertificateChainFile directiveFor Apache servers, you need to configure the certificate chain properly:
# Correct Apache configuration
SSLCertificateFile /path/to/domain.crt
SSLCertificateKeyFile /path/to/domain.key
SSLCertificateChainFile /path/to/intermediate.crtFor Nginx servers, combine certificates in the correct order:
# Nginx proper configuration
ssl_certificate /path/to/combined.crt;
ssl_certificate_key /path/to/domain.key;
# combined.crt should contain:
# 1. Your domain certificate
# 2. Intermediate certificates (in order)
# 3. Root certificate (optional)Create a proper chain file using this OpenSSL command:
cat domain.crt intermediate1.crt intermediate2.crt > combined.crtAfter making changes, verify with these commands:
# Check certificate chain
openssl s_client -connect www.snipsalonsoftware.com:443 -showcerts
# Verify chain completeness (should return OK)
openssl verify -untrusted intermediate.crt domain.crt- Incorrect order of certificates in chain file (should be domain → intermediates)
- Including the root certificate (unnecessary and increases handshake size)
- Using wrong intermediate certificates (check with your CA)
Besides SSL Labs, test with:
testssl.shcommand line tool- Chrome DevTools Security panel
- Android's Network Security Configuration