Introduction An incomplete SSL certificate chain causes clients to reject otherwise valid certificates. The server must present the full chain from leaf certificate through all intermediates to the root CA.

Symptoms - curl: "SSL certificate problem: unable to get local issuer certificate" - Browser shows "NET::ERR_CERT_AUTHORITY_INVALID" - SSL Labs grade shows "Chain issues: incomplete" - Mobile app cannot connect to API - Works in browser (downloads intermediate) but fails in API clients

Common Causes - Server configured with leaf certificate only (missing intermediate) - Intermediate CA certificate changed but not updated on server - Certificate bundle concatenated in wrong order - Self-signed root CA not in client trust store - Load balancer not updated with full chain

Step-by-Step Fix 1. **Check the certificate chain': ```bash echo | openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | openssl x509 -noout -issuer ```

  1. 1.**Verify chain completeness':
  2. 2.```bash
  3. 3.openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt fullchain.pem
  4. 4.`
  5. 5.**Fix the certificate bundle':
  6. 6.```bash
  7. 7.# Correct order: leaf cert first, then intermediates
  8. 8.cat server.crt intermediate.crt > fullchain.pem
  9. 9.# Update server configuration
  10. 10.# For Nginx: ssl_certificate fullchain.pem;
  11. 11.# For Apache: SSLCertificateFile fullchain.pem;
  12. 12.`

Prevention - Always use fullchain.pem (not just cert.pem) - Validate chain with SSL Labs after deployment - Automate certificate chain validation in CI/CD - Monitor certificate chain completeness - Use ACME clients that handle chain correctly (certbot, lego)