Your connection is not private error on Android device

James Read jamesread5737 at gmail.com
Mon Nov 14 22:22:41 UTC 2022


On Mon, Nov 14, 2022 at 10:12 PM Jeffrey Walton <noloader at gmail.com> wrote:

>
>
> On Mon, Nov 14, 2022 at 4:59 PM James Read <jamesread5737 at gmail.com>
> wrote:
>
>> ...
>> OK. Thanks. I rearranged the file and deleted some certificates. Now
>> sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits
>> (SHA256withRSA) but for Certificate #2: RSA 2048 bits (SHA256withRSA) it
>> is reporting
>> Chain issues
>> *Incomplete, Extra certs, Contains anchor*
>>
>> Any ideas?
>>
>
> The certificate chain for us.wottot.com still looks off to me. depth=1
> and depth=0 are Ok. But at depth=2, you do not need the certificate with
> 'CN = Starfield Root Certificate Authority - G2'.
>

I don't understand how there can be a depth=2. My certificate file only now
has two certificates in it.

-----BEGIN CERTIFICATE-----
MIIGszCCBZugAwIBAgIJALmBI4vKMs8xMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEl
MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEzMDEGA1UECxMq
aHR0cDovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMTQwMgYD
VQQDEytTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcy
MB4XDTIyMTExMjE4MjQzNVoXDTIzMTExMjE4MjQzNVowFzEVMBMGA1UEAwwMKi53
b3R0b3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tT+zLfe
hBL/Y/fylqijUY1cusctX/bw7n4pcyS3ZyGcl+zEq4C/uNlgXh5uUBbfO0Zd+75R
rdYLjBjO99RsJU5x1EBiPNlvvBIILXmSDiEhsWdUgu9Irsu/VI85KMq8rIWTiRuD
y4r387oU/F2L9tYS9Lg1YOHzDidTKruZzKp9CSyxAjV/RKfEkXHKZHnPd7sjDtDq
BuagoxBNMfkYX6zwGz/iARlu4bIsFIrmvdGVyZUYJ7RM2FL9F5LfMZHGagnP96UU
OwT7yoDw6gkgSHsfA2+6D36WcUJOgIcJ96259KstI94UupqE3S+msRRWhZhUR8hh
dje5PYUuhQjkBwIDAQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMD0GA1UdHwQ2MDQw
MqAwoC6GLGh0dHA6Ly9jcmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS01MDUu
Y3JsMGMGA1UdIARcMFowTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0
cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzAI
BgZngQwBAgEwgYIGCCsGAQUFBwEBBHYwdDAqBggrBgEFBQcwAYYeaHR0cDovL29j
c3Auc3RhcmZpZWxkdGVjaC5jb20vMEYGCCsGAQUFBzAChjpodHRwOi8vY2VydGlm
aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvc2ZpZzIuY3J0MB8G
A1UdIwQYMBaAFCVFgWhQJjg9Oy0svs1q2bY9s2ZjMCMGA1UdEQQcMBqCDCoud290
dG90LmNvbYIKd290dG90LmNvbTAdBgNVHQ4EFgQUtFbGpGeJWh/YFrN8gpFP2i1o
SuMwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AOg+0No+9QY1MudXKLyJa8kD
08vREWvs62nhd31tBr1uAAABhG0WHCEAAAQDAEYwRAIgL/MHOaozMCv2hKYtk/ga
PCf1ybV5mQ4B0DS0SrUPuQICIGdGnBh2tP76LFzcaw+JIHXOe3gPCyS4UBSG4tHC
T7WaAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEbRYdBAAA
BAMARzBFAiAb2UR4BmIPuVbcB+KmdQDM6FcaVkjyytTCrMccdnQaLgIhAJkB7llf
Gc0UCKeAD54O2ZATfInOOQLyIqN2K7UC3puqAHYAs3N3B+GEUPhjhtYFqdwRCUp5
LbFnDAuH3PADDnk2pZoAAAGEbRYeBQAABAMARzBFAiBSXXglDGJYWi8ia9JZOfxK
gZC7JcYV5p/g9tMsqoqR5QIhANtqc01iTbcJT2m6mtAL1qqQNmKl81PkCvaIEmYp
FmXuMA0GCSqGSIb3DQEBCwUAA4IBAQCkpiRc26hkqadkYCHRqwadjI4PIzyQfgyh
3tGoGfAPx2fwNuVPHq7tStALxb920EwRk3oHn47zm7iq/VWYF/Wo70RGgm7S75Gq
vFOGqgrbDSc/gVdDXlT5r9yeJANg+cmuffoZIDcAiFELz0crp9WlWiw0s2P5LKGn
wZIwjWF049hdvuXgiMUlsR294dgZHduFyfaXtVjxRgxcaiZV5ckHhyfHnpb7WyVL
jcqMt2TQa/fzYxpmk7ttuNfa0PMjj77rEpRM6hmgtVcq/Nde4D2RywOufiHKF//c
lpRCdIuPJmsMHOVkLmo8bNxgd5RzK4+tKmugYaQtOwSXXHaPFC2i
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
-----END CERTIFICATE-----

James Read


> You don't send the Root CA. User agents must already have the Root CA in
> their store (and trust it). Some user agents, like browsers, even carry
> around a bunch of intermediate certificates.
>
> Jeff
>
> $ openssl s_client -connect us.wottot.com:443 -servername us.wottot.com
> -showcerts
> CONNECTED(00000003)
> depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
> Inc.", CN = Starfield Root Certificate Authority - G2
> verify return:1
> depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
> Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
> Secure Certificate Authority - G2
> verify return:1
> depth=0 CN = *.wottot.com
> verify return:1
> ---
> Certificate chain
>  0 s:CN = *.wottot.com
>    i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
> Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
> Secure Certificate Authority - G2
> -----BEGIN CERTIFICATE-----
> MIIGszCCBZugAwIBAgIJALmBI4vKMs8xMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD
> VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEl
> MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEzMDEGA1UECxMq
> aHR0cDovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMTQwMgYD
> VQQDEytTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcy
> MB4XDTIyMTExMjE4MjQzNVoXDTIzMTExMjE4MjQzNVowFzEVMBMGA1UEAwwMKi53
> b3R0b3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tT+zLfe
> hBL/Y/fylqijUY1cusctX/bw7n4pcyS3ZyGcl+zEq4C/uNlgXh5uUBbfO0Zd+75R
> rdYLjBjO99RsJU5x1EBiPNlvvBIILXmSDiEhsWdUgu9Irsu/VI85KMq8rIWTiRuD
> y4r387oU/F2L9tYS9Lg1YOHzDidTKruZzKp9CSyxAjV/RKfEkXHKZHnPd7sjDtDq
> BuagoxBNMfkYX6zwGz/iARlu4bIsFIrmvdGVyZUYJ7RM2FL9F5LfMZHGagnP96UU
> OwT7yoDw6gkgSHsfA2+6D36WcUJOgIcJ96259KstI94UupqE3S+msRRWhZhUR8hh
> dje5PYUuhQjkBwIDAQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU
> BggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMD0GA1UdHwQ2MDQw
> MqAwoC6GLGh0dHA6Ly9jcmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS01MDUu
> Y3JsMGMGA1UdIARcMFowTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0
> cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzAI
> BgZngQwBAgEwgYIGCCsGAQUFBwEBBHYwdDAqBggrBgEFBQcwAYYeaHR0cDovL29j
> c3Auc3RhcmZpZWxkdGVjaC5jb20vMEYGCCsGAQUFBzAChjpodHRwOi8vY2VydGlm
> aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvc2ZpZzIuY3J0MB8G
> A1UdIwQYMBaAFCVFgWhQJjg9Oy0svs1q2bY9s2ZjMCMGA1UdEQQcMBqCDCoud290
> dG90LmNvbYIKd290dG90LmNvbTAdBgNVHQ4EFgQUtFbGpGeJWh/YFrN8gpFP2i1o
> SuMwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AOg+0No+9QY1MudXKLyJa8kD
> 08vREWvs62nhd31tBr1uAAABhG0WHCEAAAQDAEYwRAIgL/MHOaozMCv2hKYtk/ga
> PCf1ybV5mQ4B0DS0SrUPuQICIGdGnBh2tP76LFzcaw+JIHXOe3gPCyS4UBSG4tHC
> T7WaAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEbRYdBAAA
> BAMARzBFAiAb2UR4BmIPuVbcB+KmdQDM6FcaVkjyytTCrMccdnQaLgIhAJkB7llf
> Gc0UCKeAD54O2ZATfInOOQLyIqN2K7UC3puqAHYAs3N3B+GEUPhjhtYFqdwRCUp5
> LbFnDAuH3PADDnk2pZoAAAGEbRYeBQAABAMARzBFAiBSXXglDGJYWi8ia9JZOfxK
> gZC7JcYV5p/g9tMsqoqR5QIhANtqc01iTbcJT2m6mtAL1qqQNmKl81PkCvaIEmYp
> FmXuMA0GCSqGSIb3DQEBCwUAA4IBAQCkpiRc26hkqadkYCHRqwadjI4PIzyQfgyh
> 3tGoGfAPx2fwNuVPHq7tStALxb920EwRk3oHn47zm7iq/VWYF/Wo70RGgm7S75Gq
> vFOGqgrbDSc/gVdDXlT5r9yeJANg+cmuffoZIDcAiFELz0crp9WlWiw0s2P5LKGn
> wZIwjWF049hdvuXgiMUlsR294dgZHduFyfaXtVjxRgxcaiZV5ckHhyfHnpb7WyVL
> jcqMt2TQa/fzYxpmk7ttuNfa0PMjj77rEpRM6hmgtVcq/Nde4D2RywOufiHKF//c
> lpRCdIuPJmsMHOVkLmo8bNxgd5RzK4+tKmugYaQtOwSXXHaPFC2i
> -----END CERTIFICATE-----
>  1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
> Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
> Secure Certificate Authority - G2
>    i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
> Inc.", CN = Starfield Root Certificate Authority - G2
> -----BEGIN CERTIFICATE-----
> MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT
> HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs
> ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw
> MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6
> b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj
> aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk
> dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg
> Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
> DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF
> pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE
> 3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV
> Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+
> MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX
> v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB
> Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+
> zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB
> BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo
> LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo
> LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF
> BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv
> MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN
> QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0
> rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO
> eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ
> sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ
> 7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=CN = *.wottot.com
>
> issuer=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies,
> Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield
> Secure Certificate Authority - G2
>
> _______________________________________________
> nginx mailing list -- nginx at nginx.org
> To unsubscribe send an email to nginx-leave at nginx.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20221114/6e468a6e/attachment.htm>


More information about the nginx mailing list