7bc669f46f2444b07b01749af60c9de0b5808f2a
galt
  Fri Jun 2 11:57:37 2023 -0700
openssl s_client will not work right unless both the -trusted_first and -servername are provided.

diff --git src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html
index 3c9e3ee..c2117ea 100755
--- src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html
+++ src/hg/htdocs/goldenPath/help/hgTrackHubHelp.html
@@ -1157,31 +1157,31 @@
 To help system administrators, here are groups that provide free web certs, including
 the popular <a href="https://letsencrypt.org/" target="_blank">LETSENCRYPT</a></p>
 <p>
 <b>Testing your site certs</b></p>
 <p>
 Here are ways to check HTTPS certificates, such as with <code>curl</code>, which uses openssl.
 <pre>
 curl https://yourdomain.com/yourhub/hub.txt
 </pre>
 <p>
 If curl can fetch the hub.txt HTTPS URL without errors, then the certs should work
 with the UCSC Genome Browser.</p>
 <p>
 For a deeper level of debugging, system administrators can use the open ssl client command:
 <pre>
-openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
+openssl s_client -trusted_first -connect yourdomain.com:443 -servername yourdomain.com
 </pre></p>
 <p>
 Various online SSL Server Test sites have great detailed documentation about how
 to check your website's certs and configuration, such as <a href="https://www.ssllabs.com/ssltest/"
 target="_blank">https://www.ssllabs.com/ssltest/</a>. Here is an example where you can
 supply yourdomain.com and discover results:
 <pre>
 https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com&latest
 </pre></p>
 <p>
 Feel free to contact UCSC Genome Browser for help if you are seeing certificate
 validation error messages you do not understand.</p>
 
 
 <!--#include virtual="$ROOT/inc/gbPageEnd.html" -->