On Mon, Nov 14, 2022 at 10:34 PM Lukas Tribus <lukas@ltri.eu> wrote:
> On Mon, 14 Nov 2022 at 22:56, James Read <jamesread5737@gmail.com> wrote:
> >> So the file needs to contain first your certificate and then the
> >> intermediate one.
> >
> >
> > OK. Thanks. I rearranged the file and deleted some certificates. Now
> sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits
> (SHA256withRSA)
>
> Correct, a TLS session negotiated with SNI us.wottot.com is now
> correctly showing the intermediate certificate.
> You are not sending the root certificate here, which is also
> completely correct at this point.
>
> The previous poster is confused by the openssl output, which actually
> shows a correctly configured server (for the particular SNI value
> us.wottot.com).
>
> So all browsers and mobile devices should be able to connect to
> us.wottot.com now.
>
>
> > but for Certificate #2: RSA 2048 bits (SHA256withRSA) it is reporting
> > Chain issues Incomplete, Extra certs, Contains anchor
>
> This is a fallback for clients not matching us.wottot.com.
>
> You probably have a "default" ssl server in your configuration that is
> still pointing to a path that you did not cleanup. You should only
> define this certificate once in your nginx configurations, not
> multiple times in different server blocks.
>
>
>
OK. Problem solved. Thanks for your patience and your explanations.
James Read
>
> Lukas
> _______________________________________________
> nginx mailing list -- nginx@nginx.org
> To unsubscribe send an email to nginx-leave@nginx.org
>
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org