On Tue, Sep 15, 2020 at 09:30:28AM +1000, William Brown wrote:
The most likely reason for this is that a cert in the chain/path is
not up to the standard expected by your client TLS library. You can check with:
openssl x509 -in FILE.PEM -noout -text | grep "Signature Algorithm"
Signature Algorithm: sha256WithRSAEncryption
I think today most TLS libraries expect at least sha256 and 2048 bit certs.
It's probably worth checking that all the certs from the CA, intermediates and your
server cert are sha256 + 2048 bit or higher. Hope that helps,
Thanks William!
This was indeed the issue. We were using an older intermediate with
sha1. Changing that has fixed our issue.
Thanks!
Bryan