Thank you Victor. I will update the CAFile and report back.
I think you answered weistse question. Regards, Wayne Sent from my iPhone; typos expected and endorsed by Apple > On Jan 19, 2022, at 1:28 PM, Viktor Dukhovni <[email protected]> > wrote: > > On Wed, Jan 19, 2022 at 01:09:09PM -0500, Wayne Spivak wrote: > >> This from SSL Labs states "self-signed": > > Their report is misleading. > >> 1 Sent by server mcq.sbanetweb.com >> Fingerprint SHA256: >> 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe >> Pin SHA256: D9BrKzFpjkpGhv91bgkZqQIWlqPNIHPHmIhYYwDChGY= >> RSA 2048 bits (e 65537) / SHA256withRSA > > The actual certificate list returned consists of just the server > certificate, and is missing the intermediate issuer(s). See below. > >> If it is an Intermediate, I refer to my orginal email, "where am I going >> wrong". > > Your certificate file contains only the server certificate, it should, > after the server certificate, which must be listed first, also contain > the certificates of any intermediate or cross certificates needed to > complete the chain to a trusted root CA. > > You're missing at least the certificate of the intermediate issuer CA > with a "CommonName" of "Entrust Certification Authority - L1K": > > $ posttls-finger -cC -lsecure '[mcq.sbanetweb.com]' > posttls-finger: certificate verification failed for > mcq.sbanetweb.com[96.224.250.24]:25: untrusted issuer /C=US/O=Entrust, > Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for > authorized use only/CN=Entrust Certification Authority - L1K > posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: > subject_CN=mcq.sbanetweb.com, issuer_CN=Entrust Certification Authority - > L1K, > fingerprint=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC, > > pkey_fingerprint=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD > posttls-finger: Untrusted TLS connection established to > mcq.sbanetweb.com[96.224.250.24]:25: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature > RSA-PSS (2048 bits) server-digest SHA256 > > --- > Certificate chain > 0 subject: /C=US/ST=New York/L=Bellmore/O=SBA Consulting > LTD/CN=mcq.sbanetweb.com > issuer: /C=US/O=Entrust, Inc./OU=See > www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use > only/CN=Entrust Certification Authority - L1K > cert > digest=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC > pkey > digest=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD > -----BEGIN CERTIFICATE----- > MIIHFTCCBf2gAwIBAgIQZGafF9rIwqdWMecTQCvgOTANBgkqhkiG9w0BAQsFADCB > ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT > H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy > MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG > A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y > MjAxMTIxMjQzNTBaFw0yMjAzMjIxMjQzNTBaMG0xCzAJBgNVBAYTAlVTMREwDwYD > VQQIEwhOZXcgWW9yazERMA8GA1UEBxMIQmVsbG1vcmUxHDAaBgNVBAoTE1NCQSAg > Q29uc3VsdGluZyBMVEQxGjAYBgNVBAMTEW1jcS5zYmFuZXR3ZWIuY29tMIIBIjAN > BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpoaW8GGUK4hUeeQvIpbRowTdIsN > U9DahAIqRRyI6xo50usgMjd0HqeYbqio+bYwOiKMAxwvc1Bg8w7mvKaBqGsXI1zU > bOkQkvbIMQIh+CPnpmX8Z7A70bzjC7jlEQ2QoqOeYXLklGZW+FgGFzaii0/z+V+l > G+UtG+NcSV4rq2ZpagKL4ICcKMwbldmJPsYUqa9n1XqS4f8SYMNIAc6kzbaStcsu > bHyr0wqnaEOb9U+6cVrmTApdr0qCMqj0/yVYkjqrQri2+1qKrvT96GktDL1tGuef > BaY3kKIHBlt0MmhOBvsw14+uLCwtlqX3zFxDbUYdRHKOeUZJ6IcXpOUccQIDAQAB > o4IDYTCCA10wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU04vZQ7LHBFMI/pT0jlBz > GH+cjOIwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8waAYIKwYBBQUH > AQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggr > BgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2Vy > MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwx > ay5jcmwwcQYDVR0RBGowaIIRbWNxLnNiYW5ldHdlYi5jb22CFXd3dy5tY3Euc2Jh > bmV0d2ViLmNvbYINd3d3LmNpbWF0Lm5ldIIVd3d3LnNiYWNvbnN1bHRpbmcuY29t > ghZ3d3cuYWhlYWRlcXVpcG1lbnQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE > FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTAYDVR0gBEUwQzA3BgpghkgBhvpsCgEF > MCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAIBgZn > gQwBAgIwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1AN+lXqtogk8fbK3uuF9O > PlrqzaISpGpejjsSwCBEXCpzAAABfk5Q5HwAAAQDAEYwRAIgFKWUj7OFmelLjXZU > Y3c24OrpomgfudS/1uKDuqKCIyMCIF1Lecz2SGFrHWBrhG2IlIogq6xQ0+J8/V6Q > x3qOy8p1AHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAF+TlDk > rwAABAMARzBFAiAKTUI9H3/L3qZUDd6bfGfmLMDa6BJ1sT3Uf6aG1VlfnAIhAOYR > T0Zm9z1qiNI/wytoBOa5WxyBhBtiVke1B9oA6YPzAHUARqVV63X6kSAwtaKJafTz > fREsQXS+/Um4havy/HD+bUcAAAF+TlDkegAABAMARjBEAiB9spsTk2OW6zlTN3xV > CvKjcaczgik9mginjshN0gRHHQIgNX6W9MRJ2csFpHcIiiVJcpPZKUvWBu3yJ4uZ > aucARC8wDQYJKoZIhvcNAQELBQADggEBAMFuvTltc7HNxN3/4DdC40Ul6J4XKIJK > LHjHwt0BcGWobTklFa8vC59sbT8/W4cDnelovJ3sR0E13aBH3B2iLubrby6NXHJV > UtwLJ+ny3/j2q6qEczSvqX7XAE2kHQge7eWspZJqHjsr5jjT5IdktnsMREDW/eRy > 0cv5GYR87RPMADayqogyUPEsyxmVfUcxVMeribF7B/MSbUR5F5IP1fLyvizrKDol > e9iPLqsSkFcRygTkxftGD2/UrTI0qKWHLmLRt4ZPjy3jv+V3dXSxP4q/A7Ab11tv > P13u+n2UkF2Kz4QJr4gD7AY4j11d8hS5YAUF27ZyUuDc9KUSBV9w2rc= > -----END CERTIFICATE----- > > -- > Viktor.
