Useful script.<p>A related post worth reading is "Getting an A+ on Qualy's SSL Labs Tester" - <a href="https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-tester/" rel="nofollow">https://sethvargo.com/getting-an-a-plus-on-qualys-ssl-labs-t...</a><p>Previous HN discussion: <a href="https://news.ycombinator.com/item?id=8749931" rel="nofollow">https://news.ycombinator.com/item?id=8749931</a>
I've lost count of how many times I had to try reordering the certificates I fed to Amazon's load balancer. You get back very cryptic error messages. Which is annoying since it could almost certainly work out the order for you...<p>This script looks very useful, thanks :)
I just went through this issue with my first site I've used ssl on. I thought everything was all good until I visited the site on my phone and got cert errors. Took me all night to figure out how to get them in the correct order, etc... Thanks for sharing this.
One thing to note is that the Qualys SSL Labs test will complain if your server sends the (self-signed) root CA certificate, which will already be in the end-user's trust store. This uses unnecessary bandwidth for every TLS negotiation.<p>In many cases, the CA (or company you got your certificate from) will include this root cert in the chain. With most web servers it is perfectly fine to simply remove it, but I have seen applications where you cannot (VMware, which wants a complete chain ending with a self-signed cert) and where you'll have to ignore the SSL Labs warning.