Updated 10 hours ago
Your site works in Chrome. It fails in Firefox. Same certificate, same server, different result.
This is the signature of an incomplete certificate chain. The server isn't sending all the certificates browsers need to verify the connection. Chrome heroically downloads the missing pieces. Firefox refuses. Mobile browsers often fail silently.
Understanding why this happens—and how to fix it—eliminates one of the most confusing SSL/TLS problems you'll encounter.
The Chain of Trust
When you buy an SSL certificate, you're not buying trust directly. You're buying a signature from someone browsers already trust.
Here's how it works: Your certificate is signed by an intermediate Certificate Authority. That intermediate is signed by another intermediate, or by a root CA. The root CA is self-signed—it vouches for itself—and browsers come pre-loaded with a list of roots they trust.
To verify your certificate, browsers must trace this chain:
Each arrow represents a cryptographic signature. If browsers can follow this path from your certificate to a root they trust, the connection is verified. If any link is missing, verification fails.
The catch: browsers only store root certificates. Intermediates must come from the server.
Why Chains Break
You installed only your certificate. CAs typically provide two files: your certificate and a "chain" or "bundle" file containing intermediates. Install only the first, and you've broken the chain.
Wrong file order. Certificates must be sent end-entity first, then intermediates in sequence toward the root. Reverse the order and browsers can't follow the path.
Partial chains. Your certificate might require two intermediates. Send only one and browsers can't complete the verification.
Manual renewal mistakes. You combined files correctly once. Six months later, you renewed and forgot to combine them again.
The Browser Lottery
Here's where it gets frustrating. Different browsers handle missing intermediates differently:
Chrome and Edge look for an Authority Information Access (AIA) extension in your certificate. If present, they'll download the missing intermediate from the CA's server. Your site works, but with added latency.
Firefox doesn't fetch missing intermediates. It fails immediately with a certificate error.
Mobile browsers vary wildly. Some attempt AIA fetching, others don't. Safari on iOS often fails where desktop Safari succeeds.
This inconsistency is maddening. You test in Chrome—everything works. Users complain your site is broken. You can't reproduce it. Eventually someone mentions they're using Firefox on Android, and suddenly the problem has a name.
Detecting Incomplete Chains
SSL Labs is the definitive test. Run your domain through ssllabs.com/ssltest. Under "Certification Paths," it shows exactly what the server sends. Look for warnings like "Chain issues: Incomplete."
OpenSSL from the command line:
Count the certificate blocks (text between BEGIN CERTIFICATE and END CERTIFICATE). You need at least two: your certificate and one intermediate. One block means incomplete chain.
Test in Firefox. If Chrome works and Firefox doesn't, you've found your answer.
Fixing the Chain
Step 1: Get your intermediates. Download the chain/bundle file from your CA. It's usually on the same page where you downloaded your certificate.
Step 2: Combine the files. Create a single file with your certificate first, followed by intermediates:
If there are multiple intermediates:
Order matters. Your certificate first, then each intermediate in sequence toward the root.
Step 3: Configure your server.
Nginx:
Apache:
Step 4: Reload.
Step 5: Test again. Re-run SSL Labs. Check Firefox. Check mobile.
ACME Clients Handle This Automatically
If you're using Let's Encrypt with Certbot, you get two certificate files:
cert.pem— just your certificatefullchain.pem— your certificate plus all intermediates
Always use fullchain.pem. This is the most common mistake with Certbot. Someone copies the configuration from a tutorial that uses cert.pem, and now they have an incomplete chain.
acme.sh and other ACME clients work similarly. Look for the fullchain file.
Why You Shouldn't Rely on AIA
Yes, Chrome downloads missing intermediates. Don't count on it.
Latency. Every new visitor's browser must fetch the intermediate before completing the handshake. That's an extra round trip to a server you don't control.
Reliability. If the CA's server is slow or down, your site appears broken.
Privacy. When browsers fetch intermediates, they're telling the CA which sites users are visiting. That's a hidden privacy cost.
Mobile. Many mobile browsers don't implement AIA fetching. Your site just fails.
Send complete chains. Don't make browsers work around your misconfiguration.
Common Mistakes
Using cert.pem instead of fullchain.pem. The single most common cause of incomplete chains with ACME clients.
Including the root certificate. Don't. Browsers already have it. Including the root wastes bandwidth and can cause verification issues.
Wrong order. End-entity certificate must come first. Intermediates follow in sequence toward the root.
Forgetting after renewal. If you manually combined files, you must do it again every renewal. ACME clients handle this automatically—another reason to use them.
Managed Services Handle This for You
AWS Certificate Manager, Cloudflare, Google Cloud Load Balancing, Azure Application Gateway—all of these manage certificate chains automatically. Upload your certificate, and they figure out the intermediates.
Kubernetes cert-manager does the same when obtaining certificates from Let's Encrypt.
If chain management sounds tedious, these services eliminate the problem entirely.
Frequently Asked Questions About Incomplete Certificate Chains
Was this page helpful?