debugdevopsMajorpending
Debug: SSL certificate chain incomplete
Viewed 0 times
sslcertificate-chainintermediatefullchainverify
Error Messages
Problem
HTTPS works in browsers but fails in API clients, curl, or mobile apps with 'unable to verify' or 'certificate chain' errors.
Solution
The SSL certificate is missing intermediate certificates:
openssl s_client -connect example.com:443 -servername example.com
# Look for 'verify error:num=21:unable to verify the first certificate'
# Check the certificate chain depth
cat your_cert.crt intermediate.crt > fullchain.crt
# Order: server cert first, then intermediates, root last (or omit root)
ssl_certificate /path/to/fullchain.crt; # NOT just the server cert
ssl_certificate_key /path/to/privkey.key;
ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
openssl verify -CAfile intermediate.crt your_cert.crt
Why browsers work but clients fail:
Browsers cache intermediate certs from other sites. API clients and curl don't have this cache and need the full chain.
- Diagnose:
openssl s_client -connect example.com:443 -servername example.com
# Look for 'verify error:num=21:unable to verify the first certificate'
# Check the certificate chain depth
- Fix - combine certificates in correct order:
cat your_cert.crt intermediate.crt > fullchain.crt
# Order: server cert first, then intermediates, root last (or omit root)
- For nginx:
ssl_certificate /path/to/fullchain.crt; # NOT just the server cert
ssl_certificate_key /path/to/privkey.key;
- For Let's Encrypt, use fullchain.pem (not cert.pem):
ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;
- Verify the chain:
openssl verify -CAfile intermediate.crt your_cert.crt
- Online check: https://www.ssllabs.com/ssltest/
Why browsers work but clients fail:
Browsers cache intermediate certs from other sites. API clients and curl don't have this cache and need the full chain.
Revisions (0)
No revisions yet.