I recently got this error message : “The URL you entered is invalid” when trying to connect to my rocketchat server, behind a nginx reverse proxy with a let’s encrypt https certificate
It worked on some devices ont not on other ones : fails on Android 7, succeeds on Android 8
A few days ago, just before I changed the certificate, it worked on Android 7…
It appeared that the new certificate (lego
client) used a EC384 key.
Before, it used a RSA2048 one (I used certbot
)
If you don’t know what kind of key you used, go to https://www.ssllabs.com/ssltest/analyze.html, enter your domain name, wait, and look for :
Certificate #1: EC 384 bits (SHA256withRSA)
or :
Certificate #1: RSA 2048 bits (SHA256withRSA)
If you see EC 384, then your key file uses the “recent” EC 384 algorithm (this is now the default with lego acme let’s encrypt client).
You can change this default with the -k
lego option.
Renew your cert:
lego ... all yout config stuff... -k rsa2048
Your new key will be a RSA 2048 one, and may be this will solve your problem. It solved mine…
But ! ssllabs will downgrade you to B (and say: This server does not support Forward Secrecy with the reference browsers. Grade capped to B). Indeed:
The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.
Hope this helped.