Missing Intermediate Certificate Error

A missing intermediate certificate error means your web server is not sending the intermediate CA certificate(s) that link your leaf certificate to a trusted root. Without the full chain, browsers that haven't cached the intermediate certificate cannot verify trust — and they'll show an error.

Why This Error Is So Common

Desktop browsers often cache intermediate certificates from previous visits, which means a broken chain "works" on your machine but fails for other users (particularly mobile users, who clear caches more often, or users visiting for the first time). This is why incomplete chain errors frequently appear as intermittent or device-specific complaints.

How to Diagnose It

Check your certificate chain with:

openssl s_client -connect yourdomain.com:443 -showcerts </dev/null 2>/dev/null

This shows all certificates sent by the server. Count the certificates — for a Let's Encrypt certificate you expect 2 (leaf + intermediate). If you see only 1, the intermediate is missing.

Also check with: SSL Labs Server Test — it explicitly reports chain issues.

How to Find the Missing Intermediate

The missing intermediate can be found via the Authority Info Access extension in your leaf certificate. Paste the leaf cert into the decoder and look at the Authority Info Access section — it contains a CA Issuers - URI: URL that points to the intermediate CA certificate file, which you can download.

How to Fix It

• Let's Encrypt: Use fullchain.pem in your server config, not cert.pem. The fullchain.pem file includes both the leaf and intermediate certificates.
• Nginx: The ssl_certificate directive should point to a file containing the leaf cert followed by the intermediate cert(s).
• Apache: Use SSLCertificateFile for the leaf and SSLCertificateChainFile for the intermediates (or concatenate them for newer Apache versions).
• Other servers: Concatenate the leaf PEM and intermediate PEM into a single file, leaf first, then intermediate(s).