Introduction

An SSL/TLS certificate chain consists of your server certificate, one or more intermediate CA certificates, and the root CA certificate. If the intermediate certificates are not included in the server's certificate bundle, clients cannot build a complete chain of trust to a trusted root. This causes browser warnings (NET::ERR_CERT_AUTHORITY_INVALID), curl failures with SSL certificate problem: unable to get local issuer certificate, and mobile app connection failures.

Symptoms

  • Browser shows Your connection is not private with NET::ERR_CERT_AUTHORITY_INVALID
  • curl -vI https://yoursite.com shows SSL certificate problem: unable to get local issuer certificate
  • openssl s_client -connect yoursite.com:443 -showcerts shows only 1 certificate (the server cert)
  • SSL Labs test shows Chain issues: Incomplete or Extra download required
  • Android/iOS apps fail to connect while desktop browsers may work (due to AIA fetching)

Common Causes

  • Server configured with only the leaf certificate, not the full chain
  • Certificate bundle file missing intermediate certificates
  • Web server SSL configuration pointing to wrong certificate file
  • CA changed intermediate certificate and the bundle was not updated
  • Certificate purchased from one CA but intermediate from another CA used

Step-by-Step Fix

  1. 1.Check the current certificate chain:
  2. 2.```bash
  3. 3.openssl s_client -connect yoursite.com:443 -showcerts </dev/null 2>/dev/null | \
  4. 4.openssl x509 -noout -issuer -subject
  5. 5.# Compare the issuer with what the intermediate CA should be
  6. 6.`
  7. 7.Download the missing intermediate certificate:
  8. 8.```bash
  9. 9.# From your CA's website, download the intermediate bundle
  10. 10.# For Let's Encrypt:
  11. 11.curl -s https://letsencrypt.org/certs/lets-encrypt-r3.pem > intermediate.pem

# Or extract the AIA URL from your certificate: openssl x509 -in cert.pem -noout -text | grep -A1 "CA Issuers" ```

  1. 1.Build the full chain file:
  2. 2.```bash
  3. 3.# Concatenate: server cert first, then intermediates
  4. 4.cat yoursite.com.crt intermediate.pem > fullchain.pem
  5. 5.# Verify the chain
  6. 6.openssl verify -CAfile <(cat intermediate.pem root.pem) yoursite.com.crt
  7. 7.`
  8. 8.Configure the web server with the full chain:
  9. 9.```nginx
  10. 10.# Nginx
  11. 11.ssl_certificate /etc/nginx/ssl/fullchain.pem;
  12. 12.ssl_certificate_key /etc/nginx/ssl/privkey.pem;
  13. 13.`
  14. 14.```apache
  15. 15.# Apache
  16. 16.SSLCertificateFile /etc/apache2/ssl/yoursite.com.crt
  17. 17.SSLCertificateChainFile /etc/apache2/ssl/intermediate.pem
  18. 18.`
  19. 19.Restart the web server and verify:
  20. 20.```bash
  21. 21.sudo systemctl restart nginx
  22. 22.# Verify the chain is now complete
  23. 23.openssl s_client -connect yoursite.com:443 -showcerts </dev/null 2>/dev/null | \
  24. 24.grep "Certificate chain" -A 20
  25. 25.`
  26. 26.Test with SSL Labs:
  27. 27.Submit your site to https://www.ssllabs.com/ssltest/ and verify the chain section shows no issues.

Prevention

  • Always use the full chain file (not just the leaf cert) in web server configuration
  • Automate certificate deployment with tools like certbot that handle chain building
  • Monitor certificate chain completeness with SSL Labs API or automated checks
  • Keep a copy of the intermediate certificate alongside the server certificate
  • Test new certificates on staging before deploying to production