You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not - or even better - will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.

您的证书文件中可能缺少中间证书。如果您已经访问过具有相同证书卖家的其他网站，则浏览器中会记住中间证书。这可能不是 - 甚至更好 - 不会对您网站的每个访问者都如此。要解决 SSL 连接中缺少的中间证书，您需要将中间证书添加到您自己的证书文件中。

GoDaddy has some info on the intermediate certificates (but the best source is always your certificate provider): http://support.godaddy.com/help/article/868/what-is-an-intermediate-certificate

GoDaddy 有一些关于中间证书的信息（但最好的来源始终是您的证书提供商）：http: //support.godaddy.com/help/article/868/what-is-an-intermediate-certificate

I once had this issue of an intermediate cert (with Commodo too) and had to combine my own cert file with the intermediate CA's to work. Once done no errors occurred anymore.

我曾经遇到过中间证书的问题（也有 Commodo），并且不得不将我自己的证书文件与中间 CA 结合起来才能工作。完成后不再发生错误。

Installation instructions per webserver by Godaddy: http://support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale=en

Godaddy 每个网络服务器的安装说明：http: //support.godaddy.com/help/article/5346/installing-an-ssl-server-instructions?locale= en

And here is a list of the most common installation guides by Commodo themselves: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make-my-own-bundle-file-from-crt-files

以下是 Commodo 自己最常用的安装指南列表：https: //support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1145/0/how-do-i-make- 我自己的捆绑文件来自 crt 文件

Depending on what webserver you are using, you'll need to specify all certificates (domain certificate, intermediate and root) or combine them into one (eg for Nginx) in the order:

根据您使用的网络服务器，您需要按以下顺序指定所有证书（域证书、中间证书和根证书）或将它们合二为一（例如对于 Nginx）：

1. domain certificate
2. intermediate certificate
3. root certificate

1. 域名证书
2. 中级证书
3. 根证书

An easy way of doing this in an SSH terminal is by typing:

在 SSH 终端中执行此操作的一种简单方法是键入：

cat domainfile intermediatefile rootfile > targetfile

Certificate test tool

证书测试工具

If you encounter further problems or are unsure whether the certificate is correct, please try an online tool to verify your SSL certificate. For instance: networking4all.com/en/ssl+certificates/quickscan

如果您遇到更多问题或不确定证书是否正确，请尝试使用在线工具验证您的 SSL 证书。例如：networking4all.com/en/ssl+certificates/quickscan

SNI support for android 2.2 and lower

SNI 支持 android 2.2 及更低版本

Please note android 2.2 (and probably older) do not support SNI, which allows multiple SSL certificates for different hostnames to work without issues on one single IP address. Thanks to @technyquist for providing that information. Please review this SO question about SNIfor more information on this issue.

请注意 android 2.2（可能更早）不支持 SNI，它允许不同主机名的多个 SSL 证书在单个 IP 地址上正常工作而不会出现问题。感谢@technyquist 提供这些信息。请查看有关 SNI 的 SO 问题以获取有关此问题的更多信息。

You have to create a crt bundle then it will be fine. You will be receiving three crt files. Use them all! If you only used the domain.crt then there will be warning on android but not on PC.

您必须创建一个 crt 包，然后就可以了。您将收到三个 crt 文件。全部使用它们！如果您只使用 domain.crt，那么在 android 上会出现警告，但在 PC 上不会。

I am on nginx. I opened domain_name.crt and then opened positivesslca2.crt, select all and copy to the end of domain_name.crt. Then open AddTrustExternalCARoot.crt, copy to the end of domain_name.crt again. Then install the domain_name.crt

我在 nginx 上。我打开domain_name.crt，然后打开positivesslca2.crt，全选复制到domain_name.crt的末尾。然后打开AddTrustExternalCARoot.crt，再次复制到domain_name.crt的末尾。然后安装 domain_name.crt

works good.

效果很好。

Adding this here as it might help someone. I was having problems with Android showing the popup and invalid certificate error.

在此处添加此内容，因为它可能对某人有所帮助。我在使用 Android 时遇到问题，显示弹出窗口和无效证书错误。

We have a Comodo Extended Validation certificate and we received the zip file that contained 4 files:

我们有 Comodo 扩展验证证书，我们收到了包含 4 个文件的 zip 文件：

• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSAExtendedValidationSecureServerCA.crt
• www_mydomain_com.crt

• 添加TrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSAExtendedValidationSecureServerCA.crt
• www_mydomain_com.crt

I concatenated them together all on one line like so:

我将它们全部连接在一行上，如下所示：

cat www_mydomain_com.crt COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >www.mydomain.com.ev-ssl-bundle.crt

cat www_mydomain_com.crt COMODORSAExtendedValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >www.mydomain.com.ev-ssl-bundle.crt

Then I used that bundle file as my ssl_certificate_keyin nginx. That's it, works now.

然后我ssl_certificate_key在 nginx 中使用了那个包文件。就是这样，现在可以工作了。

Inspired by this gist: https://gist.github.com/ipedrazas/6d6c31144636d586dcc3

受此要点的启发：https: //gist.github.com/ipedrazas/6d6c31144636d586dcc3

With Comodo PositiveSSL we have received 4 files.

使用 Comodo PositiveSSL，我们收到了 4 个文件。

• AddTrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSADomainValidationSecureServerCA.crt
• our_domain.crt

• 添加TrustExternalCARoot.crt
• COMODORSAAddTrustCA.crt
• COMODORSADomainValidationSecureServerCA.crt
• our_domain.crt

When we followed the instructions on comodo site - we would get an error that our certificate was missing an intermediate certificate file.

当我们按照 comodo 站点上的说明进行操作时 - 我们会收到一个错误，提示我们的证书缺少中间证书文件。

Basically the syntax is

基本上语法是

cat our_domain.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt  AddTrustExternalCARoot.crt > domain-ssl_bundle.crt

I've recently ren into this issue with Commodo cert I bought on ssls.com and I've had 3 files:

我最近在 ssls.com 上购买的 Commodo 证书遇到了这个问题，我有 3 个文件：

domain-name.ca-bundle domain-name.crtand domain-name.p7b

domain-name.ca-bundle domain-name.crt和domain-name.p7b

I've had to set it up on Nginx and this is the command I ran:

我不得不在 Nginx 上设置它，这是我运行的命令：

cat domain-name.ca-bundle domain-name.crt > commodo-ssl-bundle.crt

I then used commodo-ssl-bundle.crt inside the Nginx config file and works like a charm.

然后我在 Nginx 配置文件中使用了 commodo-ssl-bundle.crt 并且效果很好。

I had the same issue and my issue was the device not having the right date and time. Once I fixed that the certificate is being trusted.

我遇到了同样的问题，我的问题是设备没有正确的日期和时间。一旦我确定证书是可信的。

I had the same error because I didn't issued a Let's Encrypt cert for the www.my-domain.com, only for my-domain.com

我遇到了同样的错误，因为我没有为www.my-domain.com颁发 Let's Encrypt 证书，仅适用于 my-domain.com

Issuing also for the www.and configuring the vhost to load certificates for www.my-domain.com before redirecting to https://my-domain.comdid the trick.

也为www发行。并配置虚拟主机以在重定向到https://my-domain.com之前加载www.my-domain.com 的证书就成功了。

Make sure you also use your intermediate crt (.crt file with a bundle.. some providers also call it bundle or ca certificate). then in your ssl.conf,

确保您还使用中间 crt（带有捆绑包的 .crt 文件。一些提供商也称其为捆绑包或 ca 证书）。然后在你的 ssl.conf 中，

SSLCertificateFile </path/for/actual/certificate>

SSLCACertificateFile </path/for/actual/intermediate_certificate>

then restart your webserver :ex for apache use :

然后重新启动您的网络服务器：ex 以供 apache 使用：

sudo service httpd restart

With Godaddy certs you most likely will have a domain.key, gd_bundle_something.crtand (random alphanumeric string) 4923hg4k23jh4.crt

使用 Godaddy 证书，您很可能会有一个domain.key,gd_bundle_something.crt和（随机字母数字字符串）4923hg4k23jh4.crt

You'll need to: cat gd_bundle_something.crt >> 4923hg4k23jh4.crt

你需要： cat gd_bundle_something.crt >> 4923hg4k23jh4.crt

And then, on nginx, you will use

然后，在 nginx 上，您将使用

ssl                  on;
ssl_certificate      /etc/ssl/certs/4923hg4k23jh4.crt;
ssl_certificate_key  /etc/ssl/certs/domain.key;

I had the same problem. Another way to generate the correct .crt file is like this:

我有同样的问题。另一种生成正确 .crt 文件的方法是这样的：

Sometimes you get a .PEM file with an entire certificate chain inside. The file may look like this....

有时您会得到一个包含整个证书链的 .PEM 文件。该文件可能看起来像这样......

-----BEGIN RSA PRIVATE KEY-----
blablablabase64private...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT1...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
blablablabase64CRT2...
-----END CERTIFICATE-----
...

If you remove the entire private keysection, you will have a valid chained .crt

如果您删除整个private key部分，您将拥有一个有效的链式 .crt