SSL Certificate Chain Incomplete — Intermediate Certificate Missing on Linux Server
About SSL Certificate Chain Incomplete
Fix incomplete SSL certificate chain errors on Linux web servers where the intermediate CA certificate is missing, causing trust failures in clients. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.
Here are the key things to understand: SSL/TLS certificate chains: server cert > intermediate CA cert(s) > root CA cert. The server must send the full chain (server cert + intermediates) during the TLS handshake. Root CA cert is in the client's trust store and should NOT be sent by the server. Missing intermediates cause trust failures in browsers, API clients, and mobile apps. Some browsers can fetch missing intermediates automatically but API clients and curl cannot. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.
The most common reasons this occurs include: Server configured with only the leaf (server) certificate without intermediate CA certificates. Certificate renewed but only the new server cert was installed, not the updated intermediates. Wrong intermediate certificate used (does not chain to the issuing CA). Certificate file order incorrect — server cert must come before intermediates. Identifying the root cause is the first step toward finding the right solution.
To resolve this, follow these recommended steps: Test the chain: 'openssl s_client -connect yourserver.com:443 -showcerts' — check for chain completeness. Use SSL Labs: ssllabs.com/ssltest to check your certificate chain online. Download the correct intermediate from your CA's documentation (Let's Encrypt, DigiCert, etc.). Combine certificates in the correct order: cat server.crt intermediate.crt > fullchain.crt. Configure the web server: Nginx: ssl_certificate fullchain.crt. Apache: SSLCertificateChainFile intermediate.crt. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.
This article is part of our Linux Error Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.
Quick Answer
Why do browsers work but curl fails?
Modern browsers have AIA (Authority Information Access) chasing which downloads missing intermediates automatically. curl, API clients, and programmatic HTTPS clients do not do this — they require the full chain from the server.
Overview
Fix incomplete SSL certificate chain errors on Linux web servers where the intermediate CA certificate is missing, causing trust failures in clients.
Key Details
- SSL/TLS certificate chains: server cert > intermediate CA cert(s) > root CA cert
- The server must send the full chain (server cert + intermediates) during the TLS handshake
- Root CA cert is in the client's trust store and should NOT be sent by the server
- Missing intermediates cause trust failures in browsers, API clients, and mobile apps
- Some browsers can fetch missing intermediates automatically but API clients and curl cannot
Common Causes
- Server configured with only the leaf (server) certificate without intermediate CA certificates
- Certificate renewed but only the new server cert was installed, not the updated intermediates
- Wrong intermediate certificate used (does not chain to the issuing CA)
- Certificate file order incorrect — server cert must come before intermediates
Steps
- 1Test the chain: 'openssl s_client -connect yourserver.com:443 -showcerts' — check for chain completeness
- 2Use SSL Labs: ssllabs.com/ssltest to check your certificate chain online
- 3Download the correct intermediate from your CA's documentation (Let's Encrypt, DigiCert, etc.)
- 4Combine certificates in the correct order: cat server.crt intermediate.crt > fullchain.crt
- 5Configure the web server: Nginx: ssl_certificate fullchain.crt. Apache: SSLCertificateChainFile intermediate.crt