On Mon, Nov 14, 2022 at 10:12 PM Jeffrey Walton <noloa...@gmail.com> wrote:
> > > On Mon, Nov 14, 2022 at 4:59 PM James Read <jamesread5...@gmail.com> > wrote: > >> ... >> OK. Thanks. I rearranged the file and deleted some certificates. Now >> sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits >> (SHA256withRSA) but for Certificate #2: RSA 2048 bits (SHA256withRSA) it >> is reporting >> Chain issues >> *Incomplete, Extra certs, Contains anchor* >> >> Any ideas? >> > > The certificate chain for us.wottot.com still looks off to me. depth=1 > and depth=0 are Ok. But at depth=2, you do not need the certificate with > 'CN = Starfield Root Certificate Authority - G2'. > I don't understand how there can be a depth=2. My certificate file only now has two certificates in it. -----BEGIN CERTIFICATE----- MIIGszCCBZugAwIBAgIJALmBI4vKMs8xMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEl MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEzMDEGA1UECxMq aHR0cDovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMTQwMgYD VQQDEytTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcy MB4XDTIyMTExMjE4MjQzNVoXDTIzMTExMjE4MjQzNVowFzEVMBMGA1UEAwwMKi53 b3R0b3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tT+zLfe hBL/Y/fylqijUY1cusctX/bw7n4pcyS3ZyGcl+zEq4C/uNlgXh5uUBbfO0Zd+75R rdYLjBjO99RsJU5x1EBiPNlvvBIILXmSDiEhsWdUgu9Irsu/VI85KMq8rIWTiRuD y4r387oU/F2L9tYS9Lg1YOHzDidTKruZzKp9CSyxAjV/RKfEkXHKZHnPd7sjDtDq BuagoxBNMfkYX6zwGz/iARlu4bIsFIrmvdGVyZUYJ7RM2FL9F5LfMZHGagnP96UU OwT7yoDw6gkgSHsfA2+6D36WcUJOgIcJ96259KstI94UupqE3S+msRRWhZhUR8hh dje5PYUuhQjkBwIDAQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMD0GA1UdHwQ2MDQw MqAwoC6GLGh0dHA6Ly9jcmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS01MDUu Y3JsMGMGA1UdIARcMFowTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0 cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzAI BgZngQwBAgEwgYIGCCsGAQUFBwEBBHYwdDAqBggrBgEFBQcwAYYeaHR0cDovL29j c3Auc3RhcmZpZWxkdGVjaC5jb20vMEYGCCsGAQUFBzAChjpodHRwOi8vY2VydGlm aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvc2ZpZzIuY3J0MB8G A1UdIwQYMBaAFCVFgWhQJjg9Oy0svs1q2bY9s2ZjMCMGA1UdEQQcMBqCDCoud290 dG90LmNvbYIKd290dG90LmNvbTAdBgNVHQ4EFgQUtFbGpGeJWh/YFrN8gpFP2i1o SuMwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AOg+0No+9QY1MudXKLyJa8kD 08vREWvs62nhd31tBr1uAAABhG0WHCEAAAQDAEYwRAIgL/MHOaozMCv2hKYtk/ga PCf1ybV5mQ4B0DS0SrUPuQICIGdGnBh2tP76LFzcaw+JIHXOe3gPCyS4UBSG4tHC T7WaAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEbRYdBAAA BAMARzBFAiAb2UR4BmIPuVbcB+KmdQDM6FcaVkjyytTCrMccdnQaLgIhAJkB7llf Gc0UCKeAD54O2ZATfInOOQLyIqN2K7UC3puqAHYAs3N3B+GEUPhjhtYFqdwRCUp5 LbFnDAuH3PADDnk2pZoAAAGEbRYeBQAABAMARzBFAiBSXXglDGJYWi8ia9JZOfxK gZC7JcYV5p/g9tMsqoqR5QIhANtqc01iTbcJT2m6mtAL1qqQNmKl81PkCvaIEmYp FmXuMA0GCSqGSIb3DQEBCwUAA4IBAQCkpiRc26hkqadkYCHRqwadjI4PIzyQfgyh 3tGoGfAPx2fwNuVPHq7tStALxb920EwRk3oHn47zm7iq/VWYF/Wo70RGgm7S75Gq vFOGqgrbDSc/gVdDXlT5r9yeJANg+cmuffoZIDcAiFELz0crp9WlWiw0s2P5LKGn wZIwjWF049hdvuXgiMUlsR294dgZHduFyfaXtVjxRgxcaiZV5ckHhyfHnpb7WyVL jcqMt2TQa/fzYxpmk7ttuNfa0PMjj77rEpRM6hmgtVcq/Nde4D2RywOufiHKF//c lpRCdIuPJmsMHOVkLmo8bNxgd5RzK4+tKmugYaQtOwSXXHaPFC2i -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6 b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE 3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+ MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+ zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0 rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ 7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7 -----END CERTIFICATE----- James Read > You don't send the Root CA. User agents must already have the Root CA in > their store (and trust it). Some user agents, like browsers, even carry > around a bunch of intermediate certificates. > > Jeff > > $ openssl s_client -connect us.wottot.com:443 -servername us.wottot.com > -showcerts > CONNECTED(00000003) > depth=2 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, > Inc.", CN = Starfield Root Certificate Authority - G2 > verify return:1 > depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, > Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield > Secure Certificate Authority - G2 > verify return:1 > depth=0 CN = *.wottot.com > verify return:1 > --- > Certificate chain > 0 s:CN = *.wottot.com > i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, > Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield > Secure Certificate Authority - G2 > -----BEGIN CERTIFICATE----- > MIIGszCCBZugAwIBAgIJALmBI4vKMs8xMA0GCSqGSIb3DQEBCwUAMIHGMQswCQYD > VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEl > MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEzMDEGA1UECxMq > aHR0cDovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMTQwMgYD > VQQDEytTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcy > MB4XDTIyMTExMjE4MjQzNVoXDTIzMTExMjE4MjQzNVowFzEVMBMGA1UEAwwMKi53 > b3R0b3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4tT+zLfe > hBL/Y/fylqijUY1cusctX/bw7n4pcyS3ZyGcl+zEq4C/uNlgXh5uUBbfO0Zd+75R > rdYLjBjO99RsJU5x1EBiPNlvvBIILXmSDiEhsWdUgu9Irsu/VI85KMq8rIWTiRuD > y4r387oU/F2L9tYS9Lg1YOHzDidTKruZzKp9CSyxAjV/RKfEkXHKZHnPd7sjDtDq > BuagoxBNMfkYX6zwGz/iARlu4bIsFIrmvdGVyZUYJ7RM2FL9F5LfMZHGagnP96UU > OwT7yoDw6gkgSHsfA2+6D36WcUJOgIcJ96259KstI94UupqE3S+msRRWhZhUR8hh > dje5PYUuhQjkBwIDAQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAU > BggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMD0GA1UdHwQ2MDQw > MqAwoC6GLGh0dHA6Ly9jcmwuc3RhcmZpZWxkdGVjaC5jb20vc2ZpZzJzMS01MDUu > Y3JsMGMGA1UdIARcMFowTgYLYIZIAYb9bgEHFwEwPzA9BggrBgEFBQcCARYxaHR0 > cDovL2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5LzAI > BgZngQwBAgEwgYIGCCsGAQUFBwEBBHYwdDAqBggrBgEFBQcwAYYeaHR0cDovL29j > c3Auc3RhcmZpZWxkdGVjaC5jb20vMEYGCCsGAQUFBzAChjpodHRwOi8vY2VydGlm > aWNhdGVzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvc2ZpZzIuY3J0MB8G > A1UdIwQYMBaAFCVFgWhQJjg9Oy0svs1q2bY9s2ZjMCMGA1UdEQQcMBqCDCoud290 > dG90LmNvbYIKd290dG90LmNvbTAdBgNVHQ4EFgQUtFbGpGeJWh/YFrN8gpFP2i1o > SuMwggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB1AOg+0No+9QY1MudXKLyJa8kD > 08vREWvs62nhd31tBr1uAAABhG0WHCEAAAQDAEYwRAIgL/MHOaozMCv2hKYtk/ga > PCf1ybV5mQ4B0DS0SrUPuQICIGdGnBh2tP76LFzcaw+JIHXOe3gPCyS4UBSG4tHC > T7WaAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS61IAAAGEbRYdBAAA > BAMARzBFAiAb2UR4BmIPuVbcB+KmdQDM6FcaVkjyytTCrMccdnQaLgIhAJkB7llf > Gc0UCKeAD54O2ZATfInOOQLyIqN2K7UC3puqAHYAs3N3B+GEUPhjhtYFqdwRCUp5 > LbFnDAuH3PADDnk2pZoAAAGEbRYeBQAABAMARzBFAiBSXXglDGJYWi8ia9JZOfxK > gZC7JcYV5p/g9tMsqoqR5QIhANtqc01iTbcJT2m6mtAL1qqQNmKl81PkCvaIEmYp > FmXuMA0GCSqGSIb3DQEBCwUAA4IBAQCkpiRc26hkqadkYCHRqwadjI4PIzyQfgyh > 3tGoGfAPx2fwNuVPHq7tStALxb920EwRk3oHn47zm7iq/VWYF/Wo70RGgm7S75Gq > vFOGqgrbDSc/gVdDXlT5r9yeJANg+cmuffoZIDcAiFELz0crp9WlWiw0s2P5LKGn > wZIwjWF049hdvuXgiMUlsR294dgZHduFyfaXtVjxRgxcaiZV5ckHhyfHnpb7WyVL > jcqMt2TQa/fzYxpmk7ttuNfa0PMjj77rEpRM6hmgtVcq/Nde4D2RywOufiHKF//c > lpRCdIuPJmsMHOVkLmo8bNxgd5RzK4+tKmugYaQtOwSXXHaPFC2i > -----END CERTIFICATE----- > 1 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, > Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield > Secure Certificate Authority - G2 > i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, > Inc.", CN = Starfield Root Certificate Authority - G2 > -----BEGIN CERTIFICATE----- > MIIFADCCA+igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBjzELMAkGA1UEBhMCVVMx > EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxJTAjBgNVBAoT > HFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAMTKVN0YXJmaWVs > ZCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAw > MFoXDTMxMDUwMzA3MDAwMFowgcYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6 > b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMSUwIwYDVQQKExxTdGFyZmllbGQgVGVj > aG5vbG9naWVzLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydHMuc3RhcmZpZWxk > dGVjaC5jb20vcmVwb3NpdG9yeS8xNDAyBgNVBAMTK1N0YXJmaWVsZCBTZWN1cmUg > Q2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB > DwAwggEKAoIBAQDlkGZL7PlGcakgg77pbL9KyUhpgXVObST2yxcT+LBxWYR6ayuF > pDS1FuXLzOlBcCykLtb6Mn3hqN6UEKwxwcDYav9ZJ6t21vwLdGu4p64/xFT0tDFE > 3ZNWjKRMXpuJyySDm+JXfbfYEh/JhW300YDxUJuHrtQLEAX7J7oobRfpDtZNuTlV > Bv8KJAV+L8YdcmzUiymMV33a2etmGtNPp99/UsQwxaXJDgLFU793OGgGJMNmyDd+ > MB5FcSM1/5DYKp2N57CSTTx/KgqT3M0WRmX3YISLdkuRJ3MUkuDq7o8W6o0OPnYX > v32JgIBEQ+ct4EMJddo26K3biTr1XRKOIwSDAgMBAAGjggEsMIIBKDAPBgNVHRMB > Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUJUWBaFAmOD07LSy+ > zWrZtj2zZmMwHwYDVR0jBBgwFoAUfAwyH6fZMH/EfWijYqihzqsHWycwOgYIKwYB > BQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFyZmllbGR0ZWNo > LmNvbS8wOwYDVR0fBDQwMjAwoC6gLIYqaHR0cDovL2NybC5zdGFyZmllbGR0ZWNo > LmNvbS9zZnJvb3QtZzIuY3JsMEwGA1UdIARFMEMwQQYEVR0gADA5MDcGCCsGAQUF > BwIBFitodHRwczovL2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkv > MA0GCSqGSIb3DQEBCwUAA4IBAQBWZcr+8z8KqJOLGMfeQ2kTNCC+Tl94qGuc22pN > QdvBE+zcMQAiXvcAngzgNGU0+bE6TkjIEoGIXFs+CFN69xpk37hQYcxTUUApS8L0 > rjpf5MqtJsxOYUPl/VemN3DOQyuwlMOS6eFfqhBJt2nk4NAfZKQrzR9voPiEJBjO > eT2pkb9UGBOJmVQRDVXFJgt5T1ocbvlj2xSApAer+rKluYjdkf5lO6Sjeb6JTeHQ > sPTIFwwKlhR8Cbds4cLYVdQYoKpBaXAko7nv6VrcPuuUSvC33l8Odvr7+2kDRUBQ > 7nIMpBKGgc0T0U7EPMpODdIm8QC3tKai4W56gf0wrHofx1l7 > -----END CERTIFICATE----- > --- > Server certificate > subject=CN = *.wottot.com > > issuer=C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, > Inc.", OU = http://certs.starfieldtech.com/repository/, CN = Starfield > Secure Certificate Authority - G2 > > _______________________________________________ > nginx mailing list -- nginx@nginx.org > To unsubscribe send an email to nginx-le...@nginx.org >
_______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
