Your connection is not private error on Android device

Jeffrey Walton noloader at gmail.com
Mon Nov 14 22:11:53 UTC 2022


On Mon, Nov 14, 2022 at 4:59 PM James Read <jamesread5737 at gmail.com> wrote:

> ...
> OK. Thanks. I rearranged the file and deleted some certificates. Now
> sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits
> (SHA256withRSA) but for Certificate #2: RSA 2048 bits (SHA256withRSA) it
> is reporting
> Chain issues
> *Incomplete, Extra certs, Contains anchor*
>
> Any ideas?
>

The certificate chain for us.wottot.com still looks off to me. depth=1 and
depth=0 are Ok. But at depth=2, you do not need the certificate with 'CN =
Starfield Root Certificate Authority - G2'.

You don't send the Root CA. User agents must already have the Root CA in
their store (and trust it). Some user agents, like browsers, even carry
around a bunch of intermediate certificates.

Jeff

$ openssl s_client -connect us.wottot.com:443 -servername us.wottot.com
-showcerts
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", CN = Starfield Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
Secure Certificate Authority - G2
verify return:1
depth=0 CN = *.wottot.com
verify return:1
---
Certificate chain
 0 s:CN = *.wottot.com
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIGszCCBZugAwIBAgIJALmBI4vKMs8xMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEzMDEGA1UECxMq
aHR0cDovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMTQwMgYD
VQQDEytTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcy
MB4XDTIyMTExMjE4MjQzNVoXDTIzMTExMjE4MjQzNVowFzEVMBMGA1UEAwwMKi53
b3R0b3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tT+zLfe
hBL/Y/fylqijUY1cusctX/bw7n4pcyS3ZyGcl+zEq4C/uNlgXh5uUBbfO0Zd+75R
rdYLjBjO99RsJU5x1EBiPNlvvBIILXmSDiEhsWdUgu9Irsu/VI85KMq8rIWTiRuD
y4r387oU/F2L9tYS9Lg1YOHzDidTKruZzKp9CSyxAjV/RKfEkXHKZHnPd7sjDtDq
BuagoxBNMfkYX6zwGz/iARlu4bIsFIrmvdGVyZUYJ7RM2FL9F5LfMZHGagnP96UU
OwT7yoDw6gkgSHsfA2+6D36WcUJOgIcJ96259KstI94UupqE3S+msRRWhZhUR8hh
dje5PYUuhQjkBwIDAQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMD0GA1UdHwQ2MDQw
MqAwoC6GLGh0dHA6Ly9jcmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS01MDUu
Y3JsMGMGA1UdIARcMFowTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0
cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzAI
BgZngQwBAgEwgYIGCCsGAQUFBwEBBHYwdDAqBggrBgEFBQcwAYYeaHR0cDovL29j
c3Auc3RhcmZpZWxkdGVjaC5jb20vMEYGCCsGAQUFBzAChjpodHRwOi8vY2VydGlm
aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvc2ZpZzIuY3J0MB8G
A1UdIwQYMBaAFCVFgWhQJjg9Oy0svs1q2bY9s2ZjMCMGA1UdEQQcMBqCDCoud290
dG90LmNvbYIKd290dG90LmNvbTAdBgNVHQ4EFgQUtFbGpGeJWh/YFrN8gpFP2i1o
SuMwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AOg+0No+9QY1MudXKLyJa8kD
08vREWvs62nhd31tBr1uAAABhG0WHCEAAAQDAEYwRAIgL/MHOaozMCv2hKYtk/ga
PCf1ybV5mQ4B0DS0SrUPuQICIGdGnBh2tP76LFzcaw+JIHXOe3gPCyS4UBSG4tHC
T7WaAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEbRYdBAAA
BAMARzBFAiAb2UR4BmIPuVbcB+KmdQDM6FcaVkjyytTCrMccdnQaLgIhAJkB7llf
Gc0UCKeAD54O2ZATfInOOQLyIqN2K7UC3puqAHYAs3N3B+GEUPhjhtYFqdwRCUp5
LbFnDAuH3PADDnk2pZoAAAGEbRYeBQAABAMARzBFAiBSXXglDGJYWi8ia9JZOfxK
gZC7JcYV5p/g9tMsqoqR5QIhANtqc01iTbcJT2m6mtAL1qqQNmKl81PkCvaIEmYp
FmXuMA0GCSqGSIb3DQEBCwUAA4IBAQCkpiRc26hkqadkYCHRqwadjI4PIzyQfgyh
3tGoGfAPx2fwNuVPHq7tStALxb920EwRk3oHn47zm7iq/VWYF/Wo70RGgm7S75Gq
vFOGqgrbDSc/gVdDXlT5r9yeJANg+cmuffoZIDcAiFELz0crp9WlWiw0s2P5LKGn
wZIwjWF049hdvuXgiMUlsR294dgZHduFyfaXtVjxRgxcaiZV5ckHhyfHnpb7WyVL
jcqMt2TQa/fzYxpmk7ttuNfa0PMjj77rEpRM6hmgtVcq/Nde4D2RywOufiHKF//c
lpRCdIuPJmsMHOVkLmo8bNxgd5RzK4+tKmugYaQtOwSXXHaPFC2i
-----END CERTIFICATE-----
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", CN = Starfield Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.wottot.com

issuer=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
Secure Certificate Authority - G2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221114/598d71f1/attachment.htm>


More information about the nginx mailing list