On Mon, Nov 14, 2022 at 10:34 PM Lukas Tribus <lu...@ltri.eu> wrote: > On Mon, 14 Nov 2022 at 22:56, James Read <jamesread5...@gmail.com> wrote: > >> So the file needs to contain first your certificate and then the > >> intermediate one. > > > > > > OK. Thanks. I rearranged the file and deleted some certificates. Now > sslabs is reporting no chain issues for Certificate #1: RSA 2048 bits > (SHA256withRSA) > > Correct, a TLS session negotiated with SNI us.wottot.com is now > correctly showing the intermediate certificate. > You are not sending the root certificate here, which is also > completely correct at this point. > > The previous poster is confused by the openssl output, which actually > shows a correctly configured server (for the particular SNI value > us.wottot.com). > > So all browsers and mobile devices should be able to connect to > us.wottot.com now. > > > > but for Certificate #2: RSA 2048 bits (SHA256withRSA) it is reporting > > Chain issues Incomplete, Extra certs, Contains anchor > > This is a fallback for clients not matching us.wottot.com. > > You probably have a "default" ssl server in your configuration that is > still pointing to a path that you did not cleanup. You should only > define this certificate once in your nginx configurations, not > multiple times in different server blocks. > > > Thanks for clarifying things. I have a single default file. Here are the contents:
cat /etc/nginx/sites-available/default ## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name _; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass PHP scripts to FastCGI server # #location ~ \.php$ { # include snippets/fastcgi-php.conf; # # # With php-fpm (or other unix sockets): # fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; # # With php-cgi (or other tcp sockets): # fastcgi_pass 127.0.0.1:9000; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # Virtual Host configuration for example.com # # You can move that to a different file under sites-available/ and symlink that # to sites-enabled/ to enable it. # #server { # listen 80; # listen [::]:80; # # server_name example.com; # # root /var/www/example.com; # index index.html; # # location / { # try_files $uri $uri/ =404; # } #} Is there a problem with configuration? James Read > Lukas > _______________________________________________ > nginx mailing list -- nginx@nginx.org > To unsubscribe send an email to nginx-le...@nginx.org >
_______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
