SSL Certificate Chain Errors — Causes and Fixes | CertNotify

Certificate chain errors are some of the trickiest SSL problems to debug because your site may work fine in most browsers but fail for some users, mobile apps, or API clients. Understanding certificate chains is essential for anyone managing TLS certificates.

What is a Certificate Chain?

A certificate chain (also called a trust chain) is a series of certificates linking your domain certificate to a Root CA that browsers inherently trust:

Root CA Certificate

Trusted by all browsers (pre-installed). Examples: DigiCert, Sectigo, ISRG Root X1

Intermediate CA Certificate

Signs your domain cert on the Root CA's behalf. Often missing — the most common chain error.

Your Domain Certificate

Issued for yourdomain.com. Directly presented to browsers.

Common Chain Errors

UNABLE_TO_GET_ISSUER_CERT_LOCALLYMissing intermediate certificate in the chain

CERT_UNTRUSTEDSelf-signed cert or intermediate not in browser trust store

UNABLE_TO_VERIFY_LEAF_SIGNATUREChain breaks — intermediate cannot be verified against root

CERTIFICATE_VERIFY_FAILEDGeneral chain verification failure

ERR_CERT_AUTHORITY_INVALIDChrome: issuer not recognized as trusted CA

Diagnose Your Chain

OpenSSL chain check

openssl s_client -connect yourdomain.com:443 -showcerts 2>/dev/null | grep -E "s:|i:"

You should see a chain like:

s:CN = yourdomain.com

i:CN = Intermediate CA Name

s:CN = Intermediate CA Name

i:CN = Root CA Name

If you only see one "s:/i:" pair, your intermediate certificate is missing from the server configuration.

Fix: Build the Full Chain

# Concatenate certificates in order: domain → intermediate → (optional root)

cat yourdomain.crt intermediate.crt > fullchain.pem

# Verify the chain

openssl verify -CAfile root.pem -untrusted intermediate.pem yourdomain.crt

Where to get the intermediate certificate: download from your CA's documentation page. For Let's Encrypt, use the ISRG Root X1 chain. For DigiCert, use their intermediate repository.

Configure Your Web Server

Nginx — use fullchain.pem

ssl_certificate /etc/ssl/fullchain.pem; # domain cert + intermediates

ssl_certificate_key /etc/ssl/private.key;

Apache — use SSLCertificateChainFile

SSLCertificateFile /etc/ssl/yourdomain.crt

SSLCertificateKeyFile /etc/ssl/private.key

SSLCertificateChainFile /etc/ssl/intermediate.crt

Why Mobile Clients Are More Sensitive

Desktop browsers use a technique called "AIA Fetching" (Authority Information Access) to automatically download missing intermediate certificates. Mobile apps, IoT devices, and server-to-server API clients often do not — they will fail with a chain error even when the same site works in Chrome. Always configure the complete chain on the server side.

Check your chain now

Use the CertNotify SSL Checker to verify your certificate chain is complete and properly ordered. Takes 5 seconds.