On Tue, 12 May 2020, Tobias Pape wrote:

>
>> On 12.05.2020, at 19:34, tim Rowledge <tim at rowledge.org> wrote:
>> 
>> Thank you *very* much to Tobias and Levente for explaining this. At least it isn't just something I screwed up, so that makes me feel a bit less stupid. The connection has been working ok until recently though, which I suspect means somebody has been Fiddling With The Server. Hands may get slapped.
>> 
>> I thought I knew more about these certificate things than I ever wanted; now I know I know nothing. Which is *still* more than I ever wanted :-)
>
> == If you control the server ==
>
> Make sure to send a cert that includes the intermediate issuer, in this case
> 	/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
>
> The cert chain via openssl s_client looks like this:
>
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
>   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
>
>
> But should look like this:
>
> Certificate chain
> 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=sagetea.ai
>   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
> 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
>   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
>
> (including the root cert "COMODO RSA Certification Authority" is _not_ recommended tho)
>
> And then have the professionals check it:
> 	https://www.ssllabs.com/ssltest/analyze.html?d=sagetea.ai&latest

hideResults?


Levente

>
>
> Best regards
> 	-Tobias