Your server is sending an incomplete SSL certificate chain. Some clients can't build a path to a trusted root CA, causing TLS handshake failures or certificate trust warnings.
Configure your server to send the full certificate chain (your certificate + all intermediate CA certificates), not just the leaf certificate.
A TLS handshake works when the client can build a chain from your server's certificate up to a root CA in its trust store. Browsers ship with all common root CAs, but the intermediate certificates between your cert and the root must be sent by the server. If those intermediates are missing, some clients (especially non-browser clients, mobile apps, and older systems) reject the connection.
Modern browsers often "AIA fetch" the missing intermediates and silently fix it, masking the problem. But many clients — Java, OpenSSL CLI, mobile apps, some IoT devices, monitoring tools, and email servers — don't. They throw "unable to get local issuer certificate" or similar errors and fail the handshake. SMTP, in particular, is sensitive: a missing intermediate often means delivery to TLS-required hosts fails.
Connect to your server and inspect the certificate chain it sends.
echo | openssl s_client -showcerts -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | grep -E "subject|issuer"The server should send your leaf certificate first, then each intermediate in order, and stop before the root CA. The root must NOT be in your bundle (clients have their own).
Most CAs publish their intermediate bundles. Let's Encrypt: download the chain from letsencrypt.org. DigiCert, GoDaddy, Sectigo: each has a bundle download in their dashboard.
Build a fullchain.pem in the right order: leaf first, then intermediates.
# Just the leaf cert is incomplete:
ssl_certificate /etc/ssl/leaf.pem;# Combined cert + intermediates:
cat leaf.pem intermediate.pem > fullchain.pem
ssl_certificate /etc/ssl/fullchain.pem;Use SSL Labs' SSL Test or our SSL checker to confirm the chain is now complete and the grade is A or A+.
# Nginx:
sudo nginx -t && sudo systemctl reload nginx
# Apache:
sudo apachectl -t && sudo systemctl reload apache2After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
Chrome can fetch missing intermediates via AIA. Most mobile apps and non-browser clients can't. They'll fail the handshake when intermediates are missing — even though the browser succeeds.
No. Clients trust roots from their own trust store. Sending the root wastes bandwidth and can cause some older clients to reject. Stop at the highest intermediate.
Your CA publishes them. Let's Encrypt: chain.pem in their cert bundle. Other CAs: check their support documentation. SSL Labs' test will also tell you exactly which intermediates are missing.
More SSL/TLS resources — tools to verify, setup guides, deeper reading, and compliance context.