SSL Chain issue: Contains anchor

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
jvwag
Posts: 1
Joined: Thu Jul 13, 2017 12:20 pm

SSL Chain issue: Contains anchor

Post by jvwag »

After testing a SSL deployment as described in the wiki (https://wiki.zimbra.com/wiki/Installing ... laboration), I have tested the installation with the Qualys SSL Server test site.

The result was a nice A and a minor warning about the sent server chain. This chain included not only the intermediate certificates but also the root CA certificate. For SSL clients this is not strictly needed and can cause some (minor) issues later on.

If I remove the root CA certificate from my input files (certificate_ca.crt) the deploy tool will fail. And with the root CA certificate, Qualys will report an error.

How would I go about in fixing this? I could edit all deployed files to strip the CA after the validation, but this seems cumbersome. Should the deployment tool be improved to support non-self signed root CA's and maybe validate them against the OS'es certificate store?
rotorboy
Advanced member
Advanced member
Posts: 169
Joined: Fri Sep 12, 2014 11:24 pm

Re: SSL Chain issue: Contains anchor

Post by rotorboy »

I just did the SSL test and discovered the same error on my Zimbra server. I'm concerned there's a problem as I found this after a user sent in a screen shot of their browser showing an SSL error that is preventing them from logging in: err_ssl_protocol_error
When I try our Zimbra https:// URL from Chrome, FireFox or Edge it seems to be working fine for me.
andreag
Posts: 3
Joined: Thu Jan 16, 2020 9:49 pm

Re: SSL Chain issue: Contains anchor

Post by andreag »

Hi, I'm experiencing the same problem, in order to get the certificate deploy process working I had to add the root CA as seen here: https://wiki.zimbra.com/wiki/Installing ... ertificate but now some iOS clients are getting a certificate error, and I suspect that it's related to the "Contains anchor" issue reported by Qualys SSL Labs.

I was thinking to do exactly this:
edit all deployed files to strip the CA after the validation
do you have any updates on this issue?
firecruz
Posts: 1
Joined: Sun May 23, 2021 12:33 am

Re: SSL Chain issue: Contains anchor

Post by firecruz »

I'm also facing the same issue. Everything works but ssllabs highlights this issue. i.e. Certificate Chain Contains Anchor!
Additional Certificates (if supplied)
Certificates provided 3 (3335 bytes)
Chain issues Contains anchor
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: SSL Chain issue: Contains anchor

Post by L. Mark Stone »

It’s a benign error as reported by SSL labs, Qualys, etc.

All popular modern operating systems include a package for all of the common root certificates. Browsers also ship with a collection of root certificates.

Zimbra’s multiple certificate stores, to eliminate a dependency on the operating system, require the entire certificate chain to be installed.

So what SSL Labs are seeing is Zimbra presenting an entire certificate chain, including a root certificate. Since the testing sites know that browsers ship with root certs, the labs flag this condition as a warning.

But it’s a benign warning. As I understand it, browsers will use first the certificate chain presented to them by the host. If the chain is incomplete (i.e. missing a root cert), the browser will look to its own certificate store to try to complete the chain. When talking to Zimbra, browsers don’t have to do that.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply