What Are Chain Issues?
SSL certificate chain issues occur when a web server does not present the full chain of certificates from the server certificate up to a trusted root CA. This causes browsers or API clients to reject the connection with errors like "unable to verify the first certificate" or "certificate chain incomplete."
Step 1: Diagnose the Problem
# Check the certificate chain
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates
# Show the full chain
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com -showcerts 2>/dev/nullYou can also use online tools to analyze your chain by visiting SSL testing sites with your domain.
Step 2: Identify Missing Intermediates
A properly configured chain should include:
- Your server certificate (leaf)
- One or more intermediate certificates
- The root CA certificate (optional — browsers have this built in)
If you see only one certificate in the chain, intermediates are missing.
Step 3: Fix for Nginx
Concatenate the server certificate and intermediate certificates into a single file:
cat your_domain.crt intermediate.crt > fullchain.crtUpdate Nginx configuration:
ssl_certificate /etc/ssl/fullchain.crt;
ssl_certificate_key /etc/ssl/your_domain.key;sudo nginx -t && sudo systemctl reload nginxStep 4: Fix for Apache
SSLCertificateFile /etc/ssl/your_domain.crt
SSLCertificateKeyFile /etc/ssl/your_domain.key
SSLCertificateChainFile /etc/ssl/intermediate.crtsudo apachectl configtest && sudo systemctl reload apache2Fix for Let's Encrypt
Let's Encrypt with Certbot handles chains automatically. If you have issues, renew:
sudo certbot renew --force-renewalVerification
# Verify the chain is complete
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep -E "Verify return code"
# Should return: Verify return code: 0 (ok)