Certificate Chain Errors: How to Fix an Incomplete SSL Chain
Browsers trust your site when they can build a path from your leaf certificate to a trusted root using intermediate certificates. If the server sends only the leaf cert, some clients show NET::ERR_CERT_AUTHORITY_INVALID or similar-the classic incomplete chain.
Key takeaways
- Download the full chain from your CA (often a "full chain" or "bundle" file).
- Nginx: point
ssl_certificateat a file that includes leaf + intermediates (e.g. Certbot'sfullchain.pem). - Apache: use
SSLCertificateFilefor the combined chain or match your distro's split file layout. - Reload the server and verify with
openssl s_client -connect host:443 -servername hostor our SSL checker.
Why the chain breaks
Public CAs issue a certificate signed by an intermediate, not directly by a root in the browser store. Your server must present the leaf plus enough intermediates. Some platforms cache missing intermediates (Android), which hides the bug until another client fails-always fix at the origin.
OCSP stapling (optional)
After the chain is correct, enabling OCSP stapling can improve handshake performance and privacy. It is separate from chain completeness; fix the chain first.
CDN or reverse proxy
If TLS terminates at Cloudflare, AWS ALB, or another proxy, upload the full chain in their console-or use their managed certificate feature. Misconfiguration often shows as intermittent warnings on mobile networks.
Verify after fixing
Use our certificate checker to confirm validity, issuer, and expiry. For a deeper redirect + headers picture, run the main HTTPS check.