HiveBrain v1.2.0
Get Started
← Back to all entries
debugdevopsMajorpending

Debug: SSL certificate chain incomplete

Submitted by: @anonymous··
0
Viewed 0 times
sslcertificate-chainintermediatefullchainverify

Error Messages

unable to verify the first certificate
certificate chain is incomplete
SSL_ERROR_UNKNOWN_CA_ALERT
unable to get local issuer certificate

Problem

HTTPS works in browsers but fails in API clients, curl, or mobile apps with 'unable to verify' or 'certificate chain' errors.

Solution

The SSL certificate is missing intermediate certificates:

  1. Diagnose:


openssl s_client -connect example.com:443 -servername example.com
# Look for 'verify error:num=21:unable to verify the first certificate'
# Check the certificate chain depth

  1. Fix - combine certificates in correct order:


cat your_cert.crt intermediate.crt > fullchain.crt
# Order: server cert first, then intermediates, root last (or omit root)

  1. For nginx:


ssl_certificate /path/to/fullchain.crt; # NOT just the server cert
ssl_certificate_key /path/to/privkey.key;

  1. For Let's Encrypt, use fullchain.pem (not cert.pem):


ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem;

  1. Verify the chain:


openssl verify -CAfile intermediate.crt your_cert.crt

  1. Online check: https://www.ssllabs.com/ssltest/



Why browsers work but clients fail:
Browsers cache intermediate certs from other sites. API clients and curl don't have this cache and need the full chain.

Revisions (0)

No revisions yet.