After testing a SSL deployment as described in the wiki (https://wiki.zimbra.com/wiki/Installing ... laboration), I have tested the installation with the Qualys SSL Server test site.
The result was a nice A and a minor warning about the sent server chain. This chain included not only the intermediate certificates but also the root CA certificate. For SSL clients this is not strictly needed and can cause some (minor) issues later on.
If I remove the root CA certificate from my input files (certificate_ca.crt) the deploy tool will fail. And with the root CA certificate, Qualys will report an error.
How would I go about in fixing this? I could edit all deployed files to strip the CA after the validation, but this seems cumbersome. Should the deployment tool be improved to support non-self signed root CA's and maybe validate them against the OS'es certificate store?
SSL Chain issue: Contains anchor
Re: SSL Chain issue: Contains anchor
I just did the SSL test and discovered the same error on my Zimbra server. I'm concerned there's a problem as I found this after a user sent in a screen shot of their browser showing an SSL error that is preventing them from logging in: err_ssl_protocol_error
When I try our Zimbra https:// URL from Chrome, FireFox or Edge it seems to be working fine for me.
When I try our Zimbra https:// URL from Chrome, FireFox or Edge it seems to be working fine for me.
Re: SSL Chain issue: Contains anchor
Hi, I'm experiencing the same problem, in order to get the certificate deploy process working I had to add the root CA as seen here: https://wiki.zimbra.com/wiki/Installing ... ertificate but now some iOS clients are getting a certificate error, and I suspect that it's related to the "Contains anchor" issue reported by Qualys SSL Labs.
I was thinking to do exactly this:
I was thinking to do exactly this:
do you have any updates on this issue?edit all deployed files to strip the CA after the validation
Re: SSL Chain issue: Contains anchor
I'm also facing the same issue. Everything works but ssllabs highlights this issue. i.e. Certificate Chain Contains Anchor!
Additional Certificates (if supplied)
Certificates provided 3 (3335 bytes)
Chain issues Contains anchor
- L. Mark Stone
- Ambassador
- Posts: 2796
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.6 Network Edition
- Contact:
Re: SSL Chain issue: Contains anchor
It’s a benign error as reported by SSL labs, Qualys, etc.
All popular modern operating systems include a package for all of the common root certificates. Browsers also ship with a collection of root certificates.
Zimbra’s multiple certificate stores, to eliminate a dependency on the operating system, require the entire certificate chain to be installed.
So what SSL Labs are seeing is Zimbra presenting an entire certificate chain, including a root certificate. Since the testing sites know that browsers ship with root certs, the labs flag this condition as a warning.
But it’s a benign warning. As I understand it, browsers will use first the certificate chain presented to them by the host. If the chain is incomplete (i.e. missing a root cert), the browser will look to its own certificate store to try to complete the chain. When talking to Zimbra, browsers don’t have to do that.
Hope that helps,
Mark
All popular modern operating systems include a package for all of the common root certificates. Browsers also ship with a collection of root certificates.
Zimbra’s multiple certificate stores, to eliminate a dependency on the operating system, require the entire certificate chain to be installed.
So what SSL Labs are seeing is Zimbra presenting an entire certificate chain, including a root certificate. Since the testing sites know that browsers ship with root certs, the labs flag this condition as a warning.
But it’s a benign warning. As I understand it, browsers will use first the certificate chain presented to them by the host. If the chain is incomplete (i.e. missing a root cert), the browser will look to its own certificate store to try to complete the chain. When talking to Zimbra, browsers don’t have to do that.
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate