New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
[Help] Solving "Chain issues - Contains anchor" in SSL Labs
Mahfuz_SS_EHL
Host Rep, Veteran
in Help
Hi,
The above-mentioned error (Chain issues - Contains anchor) is shown when there is Extra Certs are sent by the Server. I use cPanel. How can I stop the server from sending the Certificate which is not needed ??
https://www.ssllabs.com/ssltest/analyze.html?d=rcpcbd.com
I know that It's not so much important but I was trying to fix it up. When I use, PositiveSSL, this problem doesn't occur but in WoSign it's occurring. ANyone have dealt with this earlier ??
Comments
you should remove the ROOT certificate from your certificates chain file.
I was also thinking the same but where is it located ?? Any Idea ?
how do you import the cert file into cpanel? before you import, you should remove the ROOT cert from the cert file, only need the domain cert and intermediate certs.
perhaps you should re-import it after remove ROOT.
Here you go:
WoSign Sent Me 2 .crt File.
I copied the Cert into Certificate and copied the Root Bundle into CA Bundle. Where is the mistake ?
I also filled up this box with the Root_bundle sent By WoSign. What should I do ??
you should edit the Root_bundle.crt, remove the ROOT cert section within it, and save it, re-import again.
Ow, Got that. Will Re-import solve the problem?? I assume the Root Cert will still be there as it has been imported. Shouldn't I manually remove it??
Most CAs will give you the complete chain up to the root cert. The complete chain is needed when you want to activate OCSP stapling, but it is useless to send to every client since either the client already has the cert and trusts it or it doesn't trust the cert -- not even if you sent it to them
This is roughly 1KB of useless traffic for every SSL handshake.
So SSLlabs is really transparent: You see the orange "Sent by server" for the cert "StartCom Certification Authority" with the fingerprint 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f. It is this cert: https://github.com/kargig/https-everywhere-greek-rules/blob/master/cert-validity/mozilla/builtin-certs/StartCom_Certification_Authority.crt Just open the Root_bundle.crt with an editor and remove that part from the file. It should be the last cert in the file. Then import it again and recheck with SSLLabs.
I was just thinking that how will I find the Root Cert, now it would help Me I think. I'll check it at night.
Thanks, Cidero & All Others who helped Me. It's now Solved :-)
@hotsnow @cidero Anyone know how to impose chacha20_poly1305 cipher to be loaded by default ?? I can see Google, Youtube & CloudFLare implemented it. I have also added the cipher suites but they are not being loaded. Googled and found that something preferences should be set so that the browser doesn't load ECDHE & rather load chacha20_poly1305 cipher. How to set preferences you know ?
@Mahfuz_SS_EHL: even the newest OpenSSL 1.0.2a (your distribution will likely use an even older version...) doesn't support chacha20_poly1305. So you just have to wait a few months. See https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/ -- CloudFlare patched OpenSSL to include those ciphers and publishes the patch. But I think it is a bad idea to manually patch a software like OpenSSL...