It's showing two paths because there are actually two valid trust paths
If you were still on the long chain, path 2 should show "sent by server" instead of "extra download"
also look at this section:
it shows your server is only sending the E1 certificate; if you were on the long chain, you'd be sending the X2 certificate as well, and the "certificates provided" would be 3 instead of 2
Looks like my fullchain.pem file is 2.25 KB (2,307 B) so it is a long chain.
The fullchain.pem includes both the chain.pem and your actual certificate, look at the chain.pem (or if you don't have one, subtract the size of your cert.pem from the fullchain.pem and that'll tell you what the size of the chain.pem would be)
fullchain.pem is just cert.pem and chain.pem concatenated together
Thank you all for your help, looks like it is working correctly now. 
Just a side question the certificate is working fine on Android when it should be showing me error on Android 13 since Android 14 is not out yet. I can see the path to X1 on Android phone. X2 is not on Android yet or am I wrong?
I'm guessing that the device you're testing with has seen the X2-signed-by-X1 in the past, and uses that cached certificate when determining trust. I suspect that if you used a factory-reset phone that it wouldn't trust it. End-user devices work very hard to try to work around servers that don't send out a full trust chain correctly. (I'm merely speculating, I don't personally know anything about how Android exactly determines trust.)
The E1 intermediate signing certificate has this one in it:
Authority Information Access:
CA Issuers - URI:http://x2.i.lencr.org/
This URL points to the X2 cross-signed by X1 certificate. Even if the X2 is not in the trust store, some TLS stacks might still able to build a valid trust path without any cached certificate.
Nice catch! I assume the theory there is that any client with Root X2 already in its trust store wouldn't need to follow the CA Issuer link there, but probably would have Root X1 in its trust store? When they next make intermediates (which I'm assuming they have planned to do within the next year or so), would those intermediates still have the same link, or would they use a different one? Or is it that the URL might stay the same, and the certificate it returns change eventually once Root X2 is presumed to be everywhere that it's going to get?
Just found out https://iamroot.tech is also a good tool for webmasters.
LOL
I read that as:
I AM GROOT!
Looks like you are correct, on an old tablet with Android 7 there is no SSL error even with the new certificate on Vivaldi web browser.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.