<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Nov 14, 2022 at 10:34 PM Lukas Tribus <<a href="mailto:lukas@ltri.eu">lukas@ltri.eu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 14 Nov 2022 at 22:56, James Read <<a href="mailto:jamesread5737@gmail.com" target="_blank">jamesread5737@gmail.com</a>> wrote:<br>
>> So the file needs to contain first your certificate and then the<br>
>> intermediate one.<br>
><br>
><br>
> OK. Thanks. I rearranged the file and deleted some certificates. Now sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits (SHA256withRSA)<br>
<br>
Correct, a TLS session negotiated with SNI <a href="http://us.wottot.com" rel="noreferrer" target="_blank">us.wottot.com</a> is now<br>
correctly showing the intermediate certificate.<br>
You are not sending the root certificate here, which is also<br>
completely correct at this point.<br>
<br>
The previous poster is confused by the openssl output, which actually<br>
shows a correctly configured server (for the particular SNI value<br>
<a href="http://us.wottot.com" rel="noreferrer" target="_blank">us.wottot.com</a>).<br>
<br>
So all browsers and mobile devices should be able to connect to<br>
<a href="http://us.wottot.com" rel="noreferrer" target="_blank">us.wottot.com</a> now.<br>
<br>
<br>
> but for Certificate #2: RSA 2048 bits (SHA256withRSA) it is reporting<br>
> Chain issues Incomplete, Extra certs, Contains anchor<br>
<br>
This is a fallback for clients not matching <a href="http://us.wottot.com" rel="noreferrer" target="_blank">us.wottot.com</a>.<br>
<br>
You probably have a "default" ssl server in your configuration that is<br>
still pointing to a path that you did not cleanup. You should only<br>
define this certificate once in your nginx configurations, not<br>
multiple times in different server blocks.<br>
<br>
<br></blockquote><div><br></div><div>OK. Problem solved. Thanks for your patience and your explanations.</div><div><br></div><div>James Read</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Lukas<br>
_______________________________________________<br>
nginx mailing list -- <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
To unsubscribe send an email to <a href="mailto:nginx-leave@nginx.org" target="_blank">nginx-leave@nginx.org</a><br>
</blockquote></div></div>