SSL Chain issue: Contains anchor

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Posts: 1
Joined: Thu Jul 13, 2017 12:20 pm

SSL Chain issue: Contains anchor

Postby jvwag » Thu Jul 13, 2017 12:45 pm

After testing a SSL deployment as described in the wiki (, I have tested the installation with the Qualys SSL Server test site.

The result was a nice A and a minor warning about the sent server chain. This chain included not only the intermediate certificates but also the root CA certificate. For SSL clients this is not strictly needed and can cause some (minor) issues later on.

If I remove the root CA certificate from my input files (certificate_ca.crt) the deploy tool will fail. And with the root CA certificate, Qualys will report an error.

How would I go about in fixing this? I could edit all deployed files to strip the CA after the validation, but this seems cumbersome. Should the deployment tool be improved to support non-self signed root CA's and maybe validate them against the OS'es certificate store?

Advanced member
Advanced member
Posts: 168
Joined: Fri Sep 12, 2014 11:24 pm

Re: SSL Chain issue: Contains anchor

Postby rotorboy » Tue Sep 11, 2018 1:29 pm

I just did the SSL test and discovered the same error on my Zimbra server. I'm concerned there's a problem as I found this after a user sent in a screen shot of their browser showing an SSL error that is preventing them from logging in: err_ssl_protocol_error
When I try our Zimbra https:// URL from Chrome, FireFox or Edge it seems to be working fine for me.
Posts: 1
Joined: Thu Jan 16, 2020 9:49 pm

Re: SSL Chain issue: Contains anchor

Postby andreag » Thu Jan 16, 2020 10:11 pm

Hi, I'm experiencing the same problem, in order to get the certificate deploy process working I had to add the root CA as seen here: but now some iOS clients are getting a certificate error, and I suspect that it's related to the "Contains anchor" issue reported by Qualys SSL Labs.

I was thinking to do exactly this:
edit all deployed files to strip the CA after the validation
do you have any updates on this issue?

Return to “Administrators”

Who is online

Users browsing this forum: Bing [Bot] and 12 guests