URLConnection "Unacceptable TLS certificate" ONLY outside of USA

We host an API (Web App) on Xojo Cloud, and the SSL certs all appear to be in working order. When one of our clients (Xojo app using URLConnection to talk to Web App) connects everything works great - here in North America.

When a client uses our product in Paris, they get:
Error code: 6 "Unacceptable TLS certificate"

I left a message for our certificate issuer, but in the meantime has anyone ran across this? Thanks for any direction.

Seems like a legitimate error that’s not Xojo’s or your fault.

If you care to share, it might be helpful for us to know which issuer to avoid.

Lifeboat uses Let’s Encrypt because their short term certificates are free, and accepted most everywhere by now.

1 Like

This one is from “Sectigo”, and a wildcard certificate for all my TLD’s. (that’s what I think they call “3rd-level domains”)

See if reinstalling your CA-certs to your system something changes.

sudo apt install --reinstall ca-certificates

In Ubuntu/Debian systems.

1 Like

Rick, I’m sharing this support email (below) if it helps. The certs are installed on Xojo Cloud by the Xojo team (I’m not sure I can issue a --reinstall command). What’s interesting is that they (SECTIGO) claim “no issues”, which leads me to ask - what exactly does the error “Unacceptable TLS certificate” truly mean? And what else could be causing this if not SSL certs?

Dear Customer,

Thank you for writing to us.

SSL Checker
We can see that SSL and CA-Chain files are perfectly installed and

is working fine without any issues from outside US, Please verify again and share the screenshots if you still get the error.

SECTIGO - SSL Technical Support.

I have not paid attention and was thinking you were hosting your your files/apps by yourself. Sometimes by unknown causes to me, the certificate chain is broken, and in some cases a “refresh” (reinstall) of the CAs fix it; or they are outdated and sudo update-ca-certificates could help too. But if SECTIGO did test it, and said it’s ok, I’m out of new ideas. The problem seems to lie at some point between the client and Xojo servers, including both. :man_shrugging:t2: But seems something that can be only solved at the server side and is related to the ability to correctly process all the certificates involved with proper updated ciphers and systems able to process TLS 1.1 to 1.3.

Just one client? Isolated case?

Two identical devices in two regions of France, both with identical error. Identical devices from same batch work fine on US soil.

Thanks for hopping in with the SSL knowledge, Rick. I like to keep an eye on and learn things about web deployment issues. I wish you the best, William.

1 Like

Another thing to look at is to make sure that the date/time are correct on the machines in France. SSL Certificates are very time sensitive and if the date/time doesn’t fall within the validity period of the certificate, it’ll outright fail.

Also if you have shell access to those machines, you can use openssl to validate the certificate:

openssl s_client -showcerts -connect www.yourdomain.com:443

That might tell you more about what the problem is.

I love the suggestion regarding “time”. Are you saying that if the PC/Device system-clock isn’t set to correct local time that that could cause an issue?

1 Like

I’m saying that if it’s set to a date/time that is outside of the valid dates for the SSL certificate that this could be a problem.

So let’s say you just bought a cert today with a one year validity. If the date on the computer is earlier than today or after a year from now, it’ll give this error when connecting to the server with this cert.

So yes, connecting to and using a Network Time Protocol (NTP) server is really important.

Working fine from Germany at least.

The SSL Checker (like SSL Checker | Free online SSL Certificate Test for your website | IONOS by 1&1 ) are not showing an issue either:

Thanks to everyone for checking into this with me. As it turns out the timezone on the device was incorrect, and once they were updated the TLS error went away and everything is working as expected.


the clocks tick differently in France, well known fact :wink: