On Mon, 14 Nov 2022 at 22:56, James Read <jamesread5...@gmail.com> wrote: >> So the file needs to contain first your certificate and then the >> intermediate one. > > > OK. Thanks. I rearranged the file and deleted some certificates. Now sslabs > is reporting no chain issues for Certificate #1: RSA 2048 bits (SHA256withRSA)
Correct, a TLS session negotiated with SNI us.wottot.com is now correctly showing the intermediate certificate. You are not sending the root certificate here, which is also completely correct at this point. The previous poster is confused by the openssl output, which actually shows a correctly configured server (for the particular SNI value us.wottot.com). So all browsers and mobile devices should be able to connect to us.wottot.com now. > but for Certificate #2: RSA 2048 bits (SHA256withRSA) it is reporting > Chain issues Incomplete, Extra certs, Contains anchor This is a fallback for clients not matching us.wottot.com. You probably have a "default" ssl server in your configuration that is still pointing to a path that you did not cleanup. You should only define this certificate once in your nginx configurations, not multiple times in different server blocks. Lukas _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
