Last updated on February 10th, 2024 at 12:40 am
The message “chain issues contains anchor” in SSL Labs or similar tools doesn’t indicate a critical security issue, but rather a slightly inefficient setup. Here’s what it means and how to fix it:
What it means
- An “anchor” refers to the root certificate in the certificate chain.
- This message likely means your server includes both the root certificate and the intermediate certificate in its chain.
- While technically valid, it’s redundant – most clients already have the root certificate in their trusted store.
The message “chain issues contains anchor” in SSL Labs or similar tools refers to a slightly inefficient setup in your SSL/TLS certificate chain. It doesn’t indicate a critical security vulnerability, but it’s good practice to address it for optimal performance and efficiency.
Here’s a breakdown of what it means:
What is a certificate chain?
Your SSL/TLS certificate relies on a “chain of trust” to verify its authenticity. This chain consists of certificates issued by different entities:
- Root certificate: The highest-level certificate, trusted by default in most operating systems and browsers.
- Intermediate certificate(s): Issued by a Certificate Authority (CA) to validate lower-level certificates.
- Server certificate: The certificate presented by your web server, issued by an intermediate CA and signed by the root certificate.
What does “contains anchor” mean?
An “anchor” refers to the root certificate in the chain.
The message “contains anchor” indicates that your server is sending both the intermediate and root certificates as part of the chain.
Why is this not ideal?
- Redundancy: Most clients (browsers, operating systems) already have the root certificate in their trusted store. Including it again adds unnecessary size to the chain, slightly increasing communication overhead and handshake latency (connection time).
- No security benefit: Including the root offers no additional security compared to just sending the intermediate certificate.
Is it a serious issue?
No, it’s not a critical security vulnerability. Your connection will still be secure even with the redundant root certificate.
However, fixing it can improve performance and show attention to detail in your server configuration.
How to fix it
There are several ways to fix the “chain issues contains anchor” in SSL, depending on your specific setup.
Here are a few methods:
Using Your Certificate Provider:
- Let’s Encrypt: Let’s Encrypt offers different ways to handle the combined intermediate/root certificate:
- Specify “–exclude-root” when issuing the certificate: This option excludes the root certificate from the PEM file downloaded.
- Use the ACME API: You can specify in your ACME client or server-side library to not include the root certificate.
- Manually edit the PEM file: Open the downloaded PEM file with a text editor, remove the section containing the root certificate (identified by “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” markers), and save the remaining intermediate certificate chain.
- Other Providers: Most certificate providers offer options within their management interface to configure which certificates are included in the chain. Check their documentation for specific instructions.
Managing Server Configuration:
- Web Server: Many web servers like Apache and Nginx have options to control which certificates are included in the chain. Consult your web server’s documentation to find the relevant configuration directives.
- Operating System: Some operating systems manage SSL certificates centrally and offer tools to configure the chain. For example, on Ubuntu, you can use the
update-ca-certificatescommand with the
--freshoption to update the trusted store and potentially remove the redundant root certificate.
- Always back up your existing certificate chain before making any changes.
- Test your website after making changes to ensure everything is working correctly.
- Use online SSL testers like SSL Labs or Qualys SSL Labs to verify your chain and identify any other issues.
If you follow these steps and consult your specific documentation, you can easily fix the “chain issues contains anchor” message and optimize your SSL configuration for better performance.
Remember, ignoring this message won’t cause major security issues, but addressing it can slightly improve connection speeds and show attention to detail in your web server setup.
Here are some additional things to keep in mind:
- This issue often arises when using Let’s Encrypt certificates, as they include a combined intermediate/root certificate by default.
- Check your certificate provider’s documentation for specific instructions on removing the root certificate.
- Ignoring this message won’t cause any security problems, but fixing it can improve performance slightly.
By following these steps, you can fix the “chain issues contains anchor” message and ensure your SSL/TLS configuration is both secure and efficient.
- How to Install Let’s Encrypt SSL Certificate (Easy Way)
- SSL Problem: self-signed certificate in certificate chain Easy Fix