Fix SSL "Chain Issues"

Understanding Chain Issues

Browser can't verify certificate because intermediate certificates are missing.

Check Your Chain

# View certificate chain
openssl s_client -connect yourdomain.com:443 -showcerts

# Should show multiple certificates
# If only one certificate shown, chain is incomplete

Fix 1: Create Full Chain File

Download intermediate certificates from your CA:

# Combine in order: Server -> Intermediate -> Root
cat server.crt intermediate.crt > fullchain.crt

# Nginx configuration
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private.key;

Fix 2: Let's Encrypt Chain

Certbot already provides fullchain.pem:

ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

Fix 3: Verify Chain with SSL Labs

https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.com

Look for "Chain issues" warning.

Fix 4: Download Missing Intermediates

# From CA website or using openssl
openssl s_client -connect yourdomain.com:443 -showcerts 2>&1 | grep -A30 "Certificate chain"

Fix 5: Apache Configuration

SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
SSLCertificateChainFile /path/to/intermediate.crt  # Apache 2.2
# Or for Apache 2.4:
SSLCertificateFile /path/to/fullchain.crt

Test Chain

openssl verify -CAfile root.crt -untrusted intermediate.crt server.crt

Understanding Chain Issues

Check Your Chain

Fix 1: Create Full Chain File

Fix 2: Let's Encrypt Chain

Fix 3: Verify Chain with SSL Labs

Fix 4: Download Missing Intermediates

Fix 5: Apache Configuration

Test Chain

Was this article helpful?