question

jarno avatar image
jarno asked

"The SSL certificate used by your web app is invalid"

I'm trying to add webb app to Amazon store and this is now stopping us to continue. There is notification that "The SSL certificate used by your web app is invalid" We have had no issues with our SSL before and it's from Gandi.

web appsamazon developer portalssl
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Levon@Amazon avatar image
Levon@Amazon answered

Hi jarno,

Thanks for posting! Dev Portal now requires secure connection for all new web apps and updates, hence this requirement. Generally, if your certificate is signed by an Amazon-approved certificate authority, it will be supported. As an example, certificates from DigiCert, Thawte, Entrust, and Verisign should work without any issues. Thanks!

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

DDrexlmaier avatar image
DDrexlmaier answered

Same Problem here. My Certifikate is from "Let's Encrypt Authority X3"

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Levon@Amazon avatar image
Levon@Amazon answered

@DDrexlmaier

There are two possible root causes for this scenario (the two root causes are unrelated to each other and may coexist):

(a) Amazon does not recognize "DST Root CA X3" as a valid root CA.

(b) Misconfigured service on the developer's side (possibly intermediate trust chains incorrect configuration).

For reference, see this article about DST Root CA X3: https://letsencrypt.org/certificates/ A long term solution to prevent (a) from happening again is to permanently add "DST Root CA X3" to Amazon recognized certs as a valid root CA, however this request was denied by our security team.

For (b), we assume that you know of a way of configuring your service, including everything around the intermediate trust chains, therefore I tend to believe that the root cause here was only (a). If so, then as I mentioned earlier, the way forward is to get a certificate from established providers, such as DigiCert, Thawte, Entrust, or Verisign, which all should work without any issues. Thanks!

3 comments
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

@Levon@Amazon

  1. When Amazon security team last reviewed adding DST Root CA X3 as a valid root CA? Maybe due to its popularity, security team could review it again?
  2. What was the reasoning behind that decision to not support it?
  3. Have security team provide a list of supported cert providers (having a list of 'almost' matching providers (i.e., Mozilla) is rather a bad joke).
  4. Have security team to consider providing Amazon certs for those of us that use Amazon VMs.

Thanks!

0 Likes 0 ·

Unfortunately, I am stuck at the last step of the app submission process as well as (too) many other developers. It seems to me not understandable why all major browsers recognize "DST Root CA X3" as a valid root CA but Amazon does not. This needs to be explained in more detail.

0 Likes 0 ·
Jacek avatar image Jacek newuser-66f4f87f-240c-4da0-8dcd-9ea4ce76ffac ·

If you need to publish, you need to publish. We got namecheap.com cert for a single host, and published using that cert. The rest of our hosts are protected by LE.

I did some very limited testing, and maybe it is possible to use a third party host that is not using LE certs, and after submitting your app (that SSL test is done potentially only when you click 'Save' button on submission page), have that host link to your LE certs host. Although, it may be that SSL test is also done during submission testing, and/or when app is already live (this one maybe not, as apps that are already published are not going down, but rather are being blocked during the new submission process). The overhead for that third party host is rather negligible, as it has to just point to a different place for the index file from your app.


0 Likes 0 ·
newuser-7c2a5ea1-895b-4b60-9796-3993521b3434 avatar image
newuser-7c2a5ea1-895b-4b60-9796-3993521b3434 answered

Is LetsEncrypt still not supported by Amazon? Its been a year now since the post. Hoping its supported by now. I am running into the same problem during the last step of submission. Its kinda strange that ssllabs and even the vendors gives my url an 'A' but amazon still considers it invalid and pushing us towards comercial providers.

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi there,

Regrettably no -- there has been no changes regarding LetsEncrypt certificates. Thanks!

-1 Like -1 ·
Kalle avatar image
Kalle answered

Me too. I have a collection of progressive web apps (https://soccer.coachaide.com, https://basketball.coachaide.com, https://icehockey.coachaide.com and https://floorball.coachaide.com) that I'd like to publish on Amazon's App Store but can't because they don't accept LetsEncrypt's certificate.

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Calvin avatar image
Calvin answered

I'm having the same problem but confused by the answer given here.

> Please review the list of Amazon approved certificates: https://wiki.mozilla.org/CA:IncludedCAs

This is Mozilla's list of approved certs, are you saying Amazon supports all the ones that Mozilla supports? If so, there's a link on the second page that includes all the root certs that they trust. That list includes DST Root CA X3: https://ccadb-public.secure.force.com/mozilla/CACertificatesInFirefoxReport

In fact, it also includes the Let's Encrypt signed version: ISRG Root X1

So is it possible to present this to the security team and get them to add it as a valid root CA?

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Hi Calvin,

The list of Mozilla approved certs was thought to be the same as what Amazon supports, however apparently there are some certificates there that are not supported by Amazon, hence this discrepancy. So at the moment Let's Encrypt is not supported / cannot be added to the list of Amazon supported certs regrettably. You'd need to use as mentioned earlier, DigiCert, Thawte, Entrust, or Verisign, etc. Thanks!

-1 Like -1 ·
newuser-8790eda5-ee9d-4c9e-b641-4b6957f7ce8a avatar image
newuser-8790eda5-ee9d-4c9e-b641-4b6957f7ce8a answered

Does Amazon not support Let's Encrypt / Dehydrated???

1 comment
10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Regrettably, no.

-1 Like -1 ·
newuser-effa7e99-e746-4b69-a439-cba2c1bffb6e avatar image
newuser-effa7e99-e746-4b69-a439-cba2c1bffb6e answered

Please add support for Lets Encrypt certificates!!!

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

newuser-b529993c-7542-4e0d-a1a4-6df3951b25db avatar image
newuser-b529993c-7542-4e0d-a1a4-6df3951b25db answered

Bump. Amazon, please support LetsEncrypt certificates. It's used by millions of web apps right now, and that number is increasing. LetsEncrypt has become a major defacto HTTPS issue; all the browsers and OSes support it. You're hurting the Amazon App Store by blocking apps securited with LetsEncrypt HTTPS certificates.

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Aliwarda avatar image
Aliwarda answered

Please add a certificate to my website

https://www.satalarabs.com

10 |3000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.