Your connection is not private error on Android device

Lukas Tribus lukas at
Mon Nov 14 22:32:55 UTC 2022

On Mon, 14 Nov 2022 at 22:56, James Read <jamesread5737 at> wrote:
>> So the file needs to contain first your certificate and then the
>> intermediate one.
> OK. Thanks. I rearranged the file and deleted some certificates. Now sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits (SHA256withRSA)

Correct, a TLS session negotiated with SNI is now
correctly showing the intermediate certificate.
You are not sending the root certificate here, which is also
completely correct at this point.

The previous poster is confused by the openssl output, which actually
shows a correctly configured server (for the particular SNI value

So all browsers and mobile devices should be able to connect to now.

> but for Certificate #2: RSA 2048 bits (SHA256withRSA) it is reporting
> Chain issues Incomplete, Extra certs, Contains anchor

This is a fallback for clients not matching

You probably have a "default" ssl server in your configuration that is
still pointing to a path that you did not cleanup. You should only
define this certificate once in your nginx configurations, not
multiple times in different server blocks.


More information about the nginx mailing list