Introduction

An incomplete SSL chain means your server presents the leaf certificate but does not provide the intermediate certificates clients need to build trust back to a root authority. Some browsers compensate with cached intermediates, which makes the issue look random. The fix is to install and serve the full chain correctly from the endpoint itself.

Symptoms

  • SSL test tools report incomplete chain or missing intermediate certificates
  • Some browsers or devices trust the site while others show certificate warnings
  • The certificate appears valid by date and hostname but still fails verification
  • The issue started after certificate renewal or manual installation
  • APIs, mobile apps, or older clients fail TLS even when desktop browsers work

Common Causes

  • Only the server certificate was installed without the required intermediate bundle
  • The hosting panel expects a fullchain file but received only the leaf certificate
  • Load balancer or reverse proxy TLS settings were updated incompletely
  • A recent certificate renewal replaced files but omitted the CA bundle
  • Different endpoints or nodes in a cluster serve different chain configurations

Step-by-Step Fix

  1. Test the public endpoint with an SSL checker or openssl s_client so you can see exactly which certificates the server is presenting.
  2. Compare the served chain with the certificate files provided by your CA and identify whether one or more intermediate certificates are missing.
  3. Install the certificate as a full chain in the format required by your web server, load balancer, or hosting control panel.
  4. Verify the private key still matches the renewed certificate so you do not mistake a key mismatch for a chain problem.
  5. If the site runs behind a CDN, proxy, or load balancer, confirm the missing chain is fixed on the layer actually terminating TLS.
  6. Restart or reload the TLS service cleanly after updating the certificate files so old chain data is not still in memory.
  7. Test all relevant hostnames and nodes if you use multiple origin servers or a cluster, because one stale node can keep the problem alive.
  8. Re-run public SSL validation from outside the network and confirm clients no longer need cached intermediates to trust the site.
  9. Keep certificate installation steps documented as fullchain-based so future renewals do not silently reintroduce the same trust failure.