Reverse proxy sends 'useless certificates'?

1. Output of caddy version:

v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

2. How I run Caddy:

caddy.exe run

a. System environment:

Win10

b. Command:

n/a

c. Service/unit/compose file:

n/a

d. My complete Caddy config:

{
	log stdout
	log caddy-log {
		output file caddy.log {
			roll_size 10MiB
			roll_keep 5
			roll_keep_for 2160h
		}
	}
	default_sni myplace.com
}
webstuff.myplace.com:8443 {
	reverse_proxy :8080
	header / Strict-Transport-Security "max-age=63072000"
}

3. The problem I’m having:

I did a security scan from SSL Security Test | ImmuniWeb and it reports a “Misconfiguration or weakness” in the “CERTIFICATE CHAIN” section:

"Server sends useless certificates."
  Root CA  vvISRG Root X1
  Intermediate CA   vR3
  Server certificate    webstuff.myplace.com

Is this a valid issue, or is it benign?
Do these certs need to be sent back?

4. Error messages and/or full log output:

n/a

5. What I already tried:

n/a

6. Links to relevant resources:

That’s working as intended. Let’s Encrypt has multiple trust chains for compatibility with older clients (mainly old Android devices).

See the Let’s Encrypt website for more details:

This isn’t quite correct. You’re using a / matcher which means only requests to exactly / will have this header attached. Remove the / to make it apply to all requests.

1 Like

Thanks for the cert info. And thanks for the config tip!

This topic was automatically closed after 30 days. New replies are no longer allowed.