On Mon, 14 Nov 2022 at 22:56, James Read <jamesread5737@gmail.com> wrote:
>> So the file needs to contain first your certificate and then the
>> intermediate one.
>
>
> OK. Thanks. I rearranged the file and deleted some certificates. Now sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits (SHA256withRSA)
Correct, a TLS session negotiated with SNI us.wottot.com is now
correctly showing the intermediate certificate.
You are not sending the root certificate here, which is also
completely correct at this point.
The previous poster is confused by the openssl output, which actually
shows a correctly configured server (for the particular SNI value
us.wottot.com).
So all browsers and mobile devices should be able to connect to
us.wottot.com now.
> but for Certificate #2: RSA 2048 bits (SHA256withRSA) it is reporting
> Chain issues Incomplete, Extra certs, Contains anchor
This is a fallback for clients not matching us.wottot.com.
You probably have a "default" ssl server in your configuration that is
still pointing to a path that you did not cleanup. You should only
define this certificate once in your nginx configurations, not
multiple times in different server blocks.
Lukas
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org