Introduction

A subdomain certificate can appear valid in one browser and still fail elsewhere if the intermediate chain is incomplete. That is especially common when the subdomain uses a separate listener, certificate store, or proxy path from the main domain. The right fix is to verify the certificate bundle actually served for that exact hostname rather than assuming the apex domain's correct setup applies everywhere.

Symptoms

  • One subdomain shows certificate trust warnings while the main site works
  • SSL tests report an incomplete chain or missing intermediate certificate
  • The problem appears only on mobile, older clients, or certain scanning tools
  • The certificate was recently renewed or installed on a different listener
  • Public checks disagree depending on which hostname is tested

Common Causes

  • The subdomain listener serves only the leaf certificate without the intermediate chain
  • A different virtual host or load balancer binding is used for the affected subdomain
  • The wrong certificate bundle was uploaded during renewal
  • One node in a multi-server setup still uses an old incomplete chain
  • The certificate store or secret mount for the subdomain differs from the main site

Step-by-Step Fix

  1. Confirm the exact subdomain presenting trust warnings and inspect the chain served for that hostname only.
  2. Compare the live served certificate bundle with the certificate files referenced in the listener or virtual host configuration.
  3. Verify the full intermediate chain is included in the deployed bundle, not just the leaf certificate.
  4. Check whether the affected subdomain uses a separate proxy, ingress, or secret from the apex domain.
  5. Review every backend node or edge location if the subdomain is served from more than one instance.
  6. Replace the incomplete certificate bundle with the correct full chain for that subdomain listener.
  7. Reload the relevant TLS service and retest from an external SSL checker after the change.
  8. Validate the fix on older clients or stricter scanners if they were the ones flagging the issue first.
  9. Keep renewal procedures explicit about leaf certificates versus full bundles so subdomain listeners are not deployed half-complete.