Incomplete SSL Certificate Chain

Diagnose and fix missing intermediate certificates.

An incomplete certificate chain is one of the sneakiest SSL errors. Your site may work perfectly in some browsers (that download missing certificates) and show errors in others (that don't). Mobile devices and API clients are particularly sensitive to this problem.

The certificate chain links your certificate to a trusted root certificate authority (CA root). If an intermediate certificate is missing, the browser can't establish this trust and displays an error, even if your certificate is perfectly valid.

This guide explains how the certificate chain works, how to diagnose an incomplete chain, and how to permanently fix the problem on your server.

Incomplete Chain Symptoms

How to identify this problem:

  • Error on mobile only: site works on desktop but shows SSL error on smartphone. Mobile devices are stricter about the chain.
  • Error in APIs/scripts: curl or wget fail with "unable to get local issuer certificate" while the browser works.
  • SSL Labs notes "Chain issues": the SSL Labs tool explicitly flags that intermediate certificates are missing.
  • Intermittent errors: some browsers compensate by downloading missing certificates (AIA fetching), others don't.

Causes of Incomplete Chain

Why intermediates are missing:

  • Partial installation: only the final certificate was installed, without the intermediate certificates provided by the CA.
  • Incorrect order: certificates are present but in the wrong order. The server certificate must be first.
  • Outdated certificates: the intermediate used was replaced by a new version and is no longer recognized.
  • Server configuration: the web server points to the wrong certificate file (certificate alone instead of fullchain).

Chain Diagnosis

Tools to analyze your certificate chain:

  1. SSL Labs: the SSL Labs test analyzes the complete chain and explicitly indicates missing certificates with "Chain issues".
  2. OpenSSL: use openssl s_client to see certificates sent by the server and verify the chain.
  3. What's My Chain Cert: the whatsmychaincert.com tool generates the complete chain from your certificate.
  4. Multi-platform test: test on desktop, mobile, and with curl to identify affected environments.

Chain Correction

How to rebuild and install the complete chain:

#!/bin/bash
# See current chain sent by server
openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null

# Download and build complete chain
# For Let's Encrypt, use fullchain.pem instead of cert.pem
# Nginx:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# Apache:
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# Note: SSLCertificateChainFile is deprecated with Apache 2.4.8+

# Manually build a chain (if necessary)
cat server.crt intermediate.crt > fullchain.crt

# Verify chain order
openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -print_certs -noout

# Validate chain locally
openssl verify -CAfile ca-bundle.crt fullchain.pem

The key is to use fullchain.pem (Let's Encrypt) or concatenate your certificate with intermediates in the correct order.

Best Practices

Avoid chain problems:

  • Use fullchain: with Let's Encrypt, always use fullchain.pem which automatically includes the intermediate.
  • Verify after installation: after any certificate change, test with SSL Labs to confirm the chain is complete.
  • Document your configuration: note which file contains what to avoid errors during renewals.
  • Test on mobile: mobile devices are strictest. If it works on mobile, it will work everywhere.

SSL Chain Checklist

  • SSL Labs shows "Chain: Complete"
  • fullchain file used in configuration
  • Test successful on mobile
  • curl works without -k
  • Correct certificate order
  • Intermediates up to date

Frequently Asked Questions

Why does Chrome work but not curl?

Chrome automatically downloads missing certificates via AIA (Authority Information Access). Curl and most tools don't.

Where do I find intermediate certificates?

Your certificate authority provides them when issuing. For Let's Encrypt, they're in fullchain.pem. Otherwise, download from the CA's site.

What order should certificates be in?

Top to bottom: your certificate, then intermediate 1, then intermediate 2, etc. The root isn't needed.

Should the root certificate be in the chain?

No, browsers already have trusted root CAs. Including the root adds unnecessary weight to the handshake.

How do I know if my intermediate is current?

Check its expiration date with openssl. CAs also publish updates on their sites.

Does MoniTao detect incomplete chains?

MoniTao checks the complete SSL connection. If the chain is incomplete and causes an error, you'll be alerted.

Complete Your SSL Chain

A complete certificate chain is essential for maximum compatibility. Use diagnostic tools and ensure all intermediate certificates are in place.

Monitor your certificates with MoniTao to be alerted of any SSL issues. Regular monitoring prevents unpleasant surprises.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing