I don’t only blog about TLS. Honest.

Guest WIFI at Center Parcs Longleat requires interaction with a web site, effectively to register devices (MAC addresses, I guess). Fairly typical of guest WIFI.

One device we brought with us is a Samsung tablet based on Android 6. It was generating a certificate error when the browser was redirected to this site.  Interrogating the certificate being supplied proved really difficult on the tablet.

My laptop, with Firefox, made quick work of the problem. I really like how Firefox presents the certificate chain.

It turned out it was a wildcard certificate (“*.guesttek.cloud”) issued by Amazon’s “Server CA 1B” (valid 21/10/2015 to 2040) which was signed by root “Amazon Root CA 1” (valid 26/05/2015 to 17/01/2038). Interesting time ranges; particularly the use of intermediates that exceed the lifetime of the root.

The solution was to add all of Amazon’s CAs to the Android trust store. It doesn’t make sense to just add one of them, it just means the device might have problems with other sites in the future.  They can be downloaded from Amazon Trust Services.  I got the details on how to do this from Clarinspect.

While there, it probably makes sense to check that Let’s Encrypt’s root certificates are trusted. The overlap between devices affected by both is likely to be fairly broad.  More detail on that from Scott Helme. They key step from that post is:

Remove the IdenTrust DST Root CA X3 root certificate and manually install the ISRG Root X1 root certificate (not the cross-signed one).

I’d probably add X2 as well, get them both from Let’s Encrypt. Worse case an old device won’t support ECDSA roots, but I imagine they’ll use it eventually. There are test websites on that site to validate the change.