What order should certificates be in the chain file?

Server certificate first, then intermediate CA certificate(s), from most specific to most general. Do NOT include the root CA certificate. The file reads top-to-bottom: your cert > intermediate > (optional second intermediate).

Does Let's Encrypt handle chains automatically?

Yes. certbot creates a fullchain.pem file that includes both the server cert and intermediate. Use fullchain.pem (not cert.pem) in your web server configuration to avoid chain issues.

SSL Certificate Chain Incomplete — Intermediate Certificate Missing on Linux Server

Errorsecurity

Overview

Fix incomplete SSL certificate chain errors on Linux web servers where the intermediate CA certificate is missing, causing trust failures in clients.

Key Details

SSL/TLS certificate chains: server cert > intermediate CA cert(s) > root CA cert
The server must send the full chain (server cert + intermediates) during the TLS handshake
Root CA cert is in the client's trust store and should NOT be sent by the server
Missing intermediates cause trust failures in browsers, API clients, and mobile apps
Some browsers can fetch missing intermediates automatically but API clients and curl cannot

Common Causes

Server configured with only the leaf (server) certificate without intermediate CA certificates
Certificate renewed but only the new server cert was installed, not the updated intermediates
Wrong intermediate certificate used (does not chain to the issuing CA)
Certificate file order incorrect — server cert must come before intermediates

Steps

1Test the chain: 'openssl s_client -connect yourserver.com:443 -showcerts' — check for chain completeness
2Use SSL Labs: ssllabs.com/ssltest to check your certificate chain online
3Download the correct intermediate from your CA's documentation (Let's Encrypt, DigiCert, etc.)
4Combine certificates in the correct order: cat server.crt intermediate.crt > fullchain.crt
5Configure the web server: Nginx: ssl_certificate fullchain.crt. Apache: SSLCertificateChainFile intermediate.crt

Related Items

linux-gpg-key-expired-cannot-verify

More in Security

windows-defender-errorsWindows Defender Errors — Antivirus Not Working or Updating

Error

windows-error-0x80073b01-defender-serviceWindows Error 0x80073B01 — Windows Defender Service Failed to Start

Error

windows-bitlocker-recovery-key-errorsBitLocker Recovery Key Errors — Drive Locked and Recovery Key Not Found

Critical

mac-gatekeeper-app-blockedMac Gatekeeper — App Cannot Be Opened (Unidentified Developer)

Warning

mac-filevault-recovery-errorsMac FileVault Errors — Encryption, Decryption & Recovery Key Issues

Error

mac-keychain-errors-passwordsMac Keychain Errors — Password Prompts, Locked Keychain, and Repair Guide

Warning

Frequently Asked Questions

Modern browsers have AIA (Authority Information Access) chasing which downloads missing intermediates automatically. curl, API clients, and programmatic HTTPS clients do not do this — they require the full chain from the server.

SSL Certificate Chain Incomplete — Intermediate Certificate Missing on Linux Server

Overview

Key Details

Common Causes

Steps

Tags

Related Items

More in Security

Frequently Asked Questions