Incomplete Certificate Chain

Resolve SSL/TLS chain errors.

An incomplete certificate chain means your server doesn't send all intermediate certificates. Some browsers cope, others show an error. Here's how to fix it.

Symptoms

  • SSL error on certain browsers only
  • SSL Labs score F or "Chain issues"
  • Mobile apps refusing connection
  • curl fails but Chrome works

Common Causes

  • Missing intermediate certificate: Server doesn't send the complete chain.
  • Wrong order: Certificates are in the wrong order in the file.
  • Incorrect bundle: The bundle provided by the CA isn't the right one.

Diagnostic Steps

  1. Test on SSL Labs (ssllabs.com)
  2. Verify with openssl s_client -connect
  3. Identify missing intermediates
  4. Get certificates from CA website

Automate with MoniTao

MoniTao monitors your SSL chain:

  • Automatic SSL certificate verification
  • Alerts if chain is invalid
  • Expiration monitoring

Best Practices

  • Always include the complete chain
  • Order: server certificate, intermediates, (no root)
  • Test after each renewal
  • Use bundles provided by your CA

FAQ

Why does it work on Chrome but not elsewhere?

Chrome has an intermediate cache. Other clients are stricter.

Should I include the root certificate?

No, root should already be in the client's trust store.

How to create the right file?

Concatenate: cat cert.crt intermediate.crt > fullchain.crt

Does MoniTao detect incomplete chains?

MoniTao verifies SSL validity. An incomplete chain may trigger an alert.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing