SSL Chain issues – Contains anchor
Does your SSLLABS report mention ‘Chain issues – Contains anchor’?
Remove the Root CA from the concatenated certificate file.
Use a text editor open your Root CA file as well as your Certificate file, check what the Root CA starts and end with and remove that section.
-----BEGIN CERTIFICATE----- MIIGuDCCBKCgAwIBAgIUUk/B8W400XArhKE/sEK7zHw8kDIwDQYJKoZIhvcNAQEL BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc Blah Blah JOVtnRpn3coVfSR/0rz0XKVXeZGnKztGdIMQhWMTxvZ1UpmRAH2Ab2QnVo1fkPVy qNSJces5Y/VKpIvLBk5Jj55fvK8ME/9ASa+LtLrIms8iYHl75cupuYZZlg8= -----END CERTIFICATE-----
Leaving just the Certificate and the Intermediate Certificate in the file.
Restart your web server and retest in SSLLABS.
It is a last CA certificate in the chain which signs server cert must be removed.
If you remove Root CA certificate then you will end up with incomplete chain (B grade) on SSL labs test page.
to be specific, it is the self-signed root that is to be removed