CHT Android gives “Unable to contact server" Error

Was doing a training on our current project today, and couldn’t load the CHT app on android.
We renewed our SSL Certificates, which are attached to the JKUAT domain and subdomains, and worked well on the web browser and we can access the CHT application.
Configuring the Medic Android app by sharing our test server URL gives the error, “Unable to contact server”
I share our SSL browser settings, please review and advise

@oyierphil - This looks to be a public instance - would you mind sharing the URL? We can then debug the server to see if the it is configured correctly from a TLS perspective.

Without knowing, more, I would guess that maybe you didn’t load all the correct certificates such that the TLS chain doesn’t validate? This can cause desktop browsers to work but Android clients to fail (often cht-conf as well). You can check this thread for more information.

The URL is
Trying to explore the intermediate certificate from our provider

THanks @oyierphil ! Indeed, looking on SSL Labs I see chain issues. Double checking on the command line, it reports chain issues as well:

openssl s_client -connect

depth=0 C = KE, ST = Nairobi City, O = KENET, CN = *
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = KE, ST = Nairobi City, O = KENET, CN = *
verify error:num=21:unable to verify the first certificate
verify return:1

The easiest way to fix this is to ensure you have the latest private key in one file (default.key) and then concatenate your primary certificate followed by any intermediate chain certificates into the certificate file (default.crt). You should be able to download these from your certificate authority (CA), which looks to be Sectigo Limited.

After you have installed the key and certs and restarted nginx, test in with SSL Labs and curl per above.

Best of luck!

1 Like

Joined the primary SSL certificate with the intermediate and now we can access the app from the Medic Android, thank you for always being there

Super - that’s great news! Thanks for reporting back about your success @oyierphil .

A post was split to a new topic: TLS chaining issues in CHT 4.x