Certificate Chain Errors: How to Fix an Incomplete SSL Chain
Browsers trust your site when they can build a path from your leaf certificate to a trusted root using intermediate certificates. If the server sends only the leaf cert, some clients show NET::ERR_CERT_AUTHORITY_INVALID or similar—the classic incomplete chain.
Key takeaways
- Download the full chain from your CA (often a "full chain" or "bundle" file).
- Nginx: point
ssl_certificateat a file that includes leaf + intermediates (e.g. Certbot'sfullchain.pem). - Apache: use
SSLCertificateFilefor the combined chain or match your distro's split file layout. - Reload the server and verify with
openssl s_client -connect host:443 -servername hostor our SSL checker.
Why the chain breaks
Public CAs issue a certificate signed by an intermediate, not directly by a root in the browser store. Your server must present the leaf plus enough intermediates. Some platforms cache missing intermediates (Android), which hides the bug until another client fails—always fix at the origin.
OCSP stapling (optional)
After the chain is correct, enabling OCSP stapling can improve handshake performance and privacy. It is separate from chain completeness; fix the chain first.
CDN or reverse proxy
If TLS terminates at Cloudflare, AWS ALB, or another proxy, upload the full chain in their console—or use their managed certificate feature. Misconfiguration often shows as intermittent warnings on mobile networks.
Verify after fixing
Use our certificate checker to confirm validity, issuer, and expiry. For a deeper redirect + headers picture, run the main HTTPS check.