TL;DR: The Quick Fix
You are seeing this error because your web server is only serving the site's certificate and skipping the intermediate ones. While modern desktop browsers often mask this issue, CLI tools like curl, Node.js scripts, and older Android browsers will fail immediately.
To fix it, bundle your domain certificate and the intermediate CA certificate into a single file:
# Combine your certificate and the bundle provided by your CA
cat your_domain_cert.crt intermediate.crt > fullchain.pem
Finally, update your web server configuration to point to this fullchain.pem file instead of the standalone certificate.
Why the Chain Breaks
Certificate Authorities (CAs) like Let's Encrypt, Sectigo, or DigiCert don't usually sign your certificate directly from their master "Root" certificate. Instead, they use intermediate certificates to create a chain of trust. This adds a layer of security by keeping the Root certificate offline and safe.
If you only install the "leaf" (your domain's certificate), the trust chain is broken. Desktop versions of Chrome and Firefox use a feature called AIA Fetching to download missing intermediates automatically. However, openssl, Python's requests, and many mobile apps don't do this. They expect the server to provide the full path to the Root.
unable to verify the first certificate β SSL certificate problem: unable to get local issuer certificate
This explains why your site might look perfect on your MacBook but fails inside a Docker container or on a 3-year-old Android phone.
Configuring Nginx Correctly
Nginx requires the entire certificate chain to live in a single .pem or .crt file. Order is critical here. Your domain certificate must appear first, followed by the intermediate certificates.
- Create your bundled file:
cat example_com.crt intermediate.crt > /etc/nginx/ssl/fullchain.pem
- Update your server block in
/etc/nginx/sites-available/default:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/example_com.key;
# ... other settings
}
- Verify the syntax and restart:
nginx -t && systemctl reload nginx
Configuring Apache
Apacheβs configuration depends on your version. Since version 2.4.8 (released in 2013), Apache handles certificates similarly to Nginx.
Modern Apache (2.4.8+)
Use the fullchain.pem we created earlier. It simplifies the config significantly.
SSLCertificateFile /etc/apache2/ssl/fullchain.pem
SSLCertificateKeyFile /etc/apache2/ssl/example_com.key
Legacy Apache (Older than 2.4.8)
You must specify the intermediate file separately using the SSLCertificateChainFile directive.
SSLCertificateFile /etc/apache2/ssl/example_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/example_com.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
Dealing with Node.js Client Errors
When your Node.js app hits an API with a broken SSL chain, you might feel tempted to set NODE_TLS_REJECT_UNAUTHORIZED = '0'. Avoid this. Disabling security is a dangerous shortcut that invites man-in-the-middle attacks.
A better way is to point Node to the specific intermediate certificate using an environment variable:
export NODE_EXTRA_CA_CERTS="/path/to/intermediate.crt"
node app.js
This allows Node.js to verify the specific server without compromising your entire security layer.
Testing Your Changes
Don't rely on your personal browser to verify the fix. Use tools that specifically check the chain depth.
1. The OpenSSL Terminal Test
Run the following command to see the raw chain data. You want to see a depth of 1 or 2 in the output.
openssl s_client -connect example.com:443 -showcerts
If the result includes Verify return code: 21, your chain is still incomplete.
2. Qualys SSL Labs
For a comprehensive audit, use the SSL Labs Server Test. If the chain is broken, you will see a clear warning: "Chain issues: Incomplete". A properly configured server should achieve an "A" grade.
3. Why did this happen after a renewal?
CAs frequently update their intermediate certificates. Even if your configuration hasn't changed in years, a newly issued certificate might require a different intermediate.crt than the one you used previously. Always download the latest bundle provided by your CA during renewal.