The issue
Some of our website users are encountering an issue when accessing secure areas of our website, on Android devices, in Google Chrome.
It looks like this;
I’ve been able to replicate the issue on the following devices using Browserstack’s physical device testing;
- Samsung Galaxy S6, Samsung Galaxy S5, Samsung Galaxy S4 (Android v5 and v4.4)
- Nexus 6 (Android v6, v5 and v4.4)
- Moto X 2nd Gen (Android v6 and v5)
My research
All the articles, forums and questions that I’ve read online (and there aren’t many, unless I’m searching for the wrong thing) point to server and / or SSL certificate setup and configuration, and that the issue being experienced is by design.
Suggested fix 1
The most useful article I’ve found so far is Issue 268055 “No Certificates Found” on the chromium issue tracker.
Comment 18 suggests changing SSL settings in IIS;
I can fix the issue if you have access to IIS. Basically you need to go to SSL Settings and make sure Require SSL is unchecked and that “Ignore” is selected for Client Certificates.
Comment 28 backs it up;
For the non-Googler case, this error message only occurs when you encounter a site that requests a client certificate. There’s nothing that Chrome can do here – the site has requested a client certificate, and to even know if a client certificate is valid, Chrome for Android has to ask the OS. That’s the prompt you’re seeing – it’s controlled by Android and all apps (Google or otherwise) are required to go through that flow.
This will occur with any site configured to request client certificates, so to resolve this, either don’t request client certificates, or configure your Android devices to have client certificates (e.g. via a device management application or via installing a PKCS#12 file).
kamakshi: This is all “By Design” behaviour, but requires server operators to change, so I’m not sure what to do with this bug.
As does comment 43;
I don’t think people on this bug would know much about configuring IIS. You’d want to talk with Microsoft about that. From searching around, “Ignore Client Certificate” seems to be the option you want.
We’ve done that but it doesn’t seem to have made a difference.
Suggested fix 2
Another question here on Stack (“certificate trusted on pc but not in android“) suggests that an intermediate certificate might be missing;
You might be missing an intermediate certificate in your cert file. If you have already visited another website which has the same certificate seller, the intermediate certificate is remembered in your browser. This might not – or even better – will not be the case with every visitor to your website. To solve a missing intermediate certificate in the SSL connection, you will need to add the intermediate certificate to your own certificate file.
I’ve checked and we have a domain certificate (which isn’t a wildcard certificate), an intermediate certificate and a root certificate, so I don’t think that’s the issue either. I’ve also run a site checker test on the Networking4all website, and an SSL test on the Qualys SSL website and they both path without errors or warnings.
My question
Has anyone else encountered this issue? Are there any other solutions that we can try to fix it? I’m out of ideas at this point so any advice would be hugely appreciated.
Some extra details just in case
The server the website is on is running Windows Server 2008 R2 and IIS 7.5, and our SSL certificate provider is Thawte.
Thanks in advance!