Is this SSL certificate chain broken and how to fix it?

Solution 1:

If the chain is sufficient depends on the CA store of the client. It looks like Firefox and Google Chrome have included the certificate for "COMODO RSA Certification Authority" end of 2014. For Internet Explorer it probably depends on the underlying OS. The CA might not yet be included in trust stores used by non-browsers, i.e. crawlers, mobile applications etc.

In any case the chain is not fully correct, as can be seen from the SSLLabs report:

  • One trust path needs that the new CA is trusted by the browser. In this case you still ship the new CA which is wrong, because trusted CAs must be built-in and not contained in the chain.
  • The other trust path is incomplete, i.e. it needs an extra download. Some browsers like Google Chrome do this download, while others browsers and non-browsers expect all necessary certificates to be contained inside the shipped chain. Thus most browsers and applications which do not have the new CA built-in will fail with this site.

Solution 2:

I contacted Comodo and downloaded a bundle.crt file from them. I renamed it to, as per this server's setup, and now the cert passes all tests. The Chain issues = Contains anchor notice isn't a problem (see below).

SSL Labs, widely regarded as the most complete test, now shows Chain issues = Contains anchor, whereas before it used to show Chain issues = None (while the others showed a problem with the chain). This is really a non-issue (1, 2), aside from an extra 1kB the server sends to the client.

My conclusion

  1. Ignore the SSL Labs test where it says Chain issues = Contains anchor OR remove the root cert from the bundle file (see this comment below).

  2. Always run a secondary test on at least one of the other three test sites (1, 2, 3) to ensure your chain is really okay when SSL Labs says Chain issues = None.