For the basic SSL/TLS Certificate, New Users Might Get Confused and Face Error. The commonest error which is faced by SSL Labs Test is Chain issues – Incomplete error. Usually it results in ” Grade capped to B.” Here is Nginx SSL Certificate Incomplete Chain Issues Fix Guide. GeoTrust and Thawte actually sends all the needed stuffs. Usually for Quick SSL Certificates, the server certificate is send via email, you need to download the bundle certificate. It can happen to any SSL/TLS Certificate due to wrong method used in implementation.
Nginx SSL Certificate Incomplete Chain Issues Fix
We have many SSL/TLS Certificate installation guides, if you followed our’s guide, it would difficult to take place ever. The trusted root certificate should not be there, as it is already included in the system™s root certificate store. You do not need to think about it.
First you have the domain’s certificate usually send via email which looks like this :
---
1 2 3 4 5 6 7 8 9 10 | -----BEGIN CERTIFICATE----- EQQ4MDaCG3d3dy50aGVjdXN0b21pemV3aW5kb3dzLmNvbYIXdGhlY3VzdG9taXpl d2luZG93cy5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNy bC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFEcqD1st 6ABsupIFv7A3FYLmUfdIOgvHQqIM+2fSMJfSsu7Nuvjpg2O+Hb9juyDOZMejxKuo ARAMI9brWFL5bu5p1NFPZkJtdFyZ/OIehr5EbVzutqZqT960OZC9YKFUjaTiKnOE E17ZtOi5VQ0KzqUdaxSsAm3DwKLDM9W49A== -----END CERTIFICATE----- |
Copy paste that to any text editor.
Second one is the Intermediate CA certificate, this might not be via email and you will get in the SSL certificate’s website. There are two Intermediate CA certificates. They are named like RSAAddTrustCA.crt, DomainValidationSecureServerCA.crt, RapidSSL also gives the two things togather – that is bundle. These also look like this :
1 2 3 4 5 6 7 8 9 10 11 | -----BEGIN CERTIFICATE----- EQQ4MDaCG3d3dy50aGVjdXN0b21pemV3aW5kb3dzLmNvbYIXdGhlY3VzdG9taXpl d2luZG93cy5jb20wQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNy bC5nZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFEcqD1st Lot of stuffs 6ABsupIFv7A3FYLmUfdIOgvHQqIM+2fSMJfSsu7Nuvjpg2O+Hb9juyDOZMejxKuo ARAMI9brWFL5bu5p1NFPZkJtdFyZ/OIehr5EbVzutqZqT960OZC9YKFUjaTiKnOE E17ZtOi5VQ0KzqUdaxSsAm3DwKLDM9W49A -----END CERTIFICATE----- |
Practical thing is that, all three should be pasted in that plain text file in this way :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | ------BEGIN CERTIFICATE----- EQQ4MDaCG3d3dy50aGVjdXN0b21pemV3aW5kb3dzLmNvbYIXdGhlY3VzdG9taXpl Lot of stuffs ARAMI9brWFL5bu5p1NFPZkJtdFyZ/OIehr5EbVzutqZqT960OZC9YKFUjaTiKnOE E17ZtOi5VQ0KzqUdaxSsAm3DwKLDM9W49A ------END CERTIFICATE----- -----BEGIN CERTIFICATE----- AQQ4MDaCG3d3dy50aGVjdXN0b21pemV3aW5kb3dzLmNvbYIXdGhlY3VzdG9taXpl Lot of stuffs GRAMI9brWFL5bu5p1NFPZkJtdFyZ/OIehr5EbVzutqZqT960OZC9YKFUjaTiKnOE P17ZtOi5VQ0KzqUdaxSsAm3DwKLDM9W49A ------END CERTIFICATE----- -----BEGIN CERTIFICATE----- QQ4MDaCG3d3dy50aGVjdXN0b21pemV3aW5kb3dzLmNvbYIXdGhlY3VzdG9taXpl Lot of stuffs RAMI9brWFL5bu5p1NFPZkJtdFyZ/OIehr5EbVzutqZqT960OZC9YKFUjaTiKnOE 17ZtOi5VQ0KzqUdaxSsAm3DwKLDM9W49A -----END CERTIFICATE----- |
These are expired examples, do not paste your domain’s cert on Question-Answer forums. Second two or made to one are publicly available, but the first one is kind of Love Letter – secret. For Nginx saving it with nginx.crt makes one certificate. Another is your key which is not relevant here.
If you SSH to your server and create a new file named foo.csr via nano text editor and paste the above thing, it will work fine after the adjust of the path to these on either nginx.conf file or /etc/nginx/sites-available/default file. If your certificates are located at foo named directory which at /path/to/, then in nginx things should look like this :
1 2 | ssl_certificate /path/to/foo/signed_cert_plus_intermediate.crt; ssl_certificate_key /path/to/foo/server.key; |
Instead of that copy paste, people add in this way :
1 | cat RSAAddTrustCA.crt > signed_cert_plus_intermediate.crt |
This process of making together is called concatenation. On OS X or GNU/Linux desktop, if you copy paste on GUI, it will work fine. People says to use the cat as who will copy and paste on Microsoft Word, difficult to predict.
Alternative way to Fix Incomplete Chain Issues
There is command line tool :
1 | https://github.com/zakjan/cert-chain-resolver #copy paste on text editor first |
It is very easy to use, you need not manually hunt your all the intermediate CA certificates and copy paste them. If you only have the server’s certificate, it will work fine. It can be difficult to use by a new user but basically it is most easy.
Contains anchor error means you have added the root certificate too. That was wrong. When you will get error; create a named directory and freshly create the file like written above.
Tagged With imgurl:https://thecustomizewindows com/wp-content/uploads/2015/05/Nginx-SSL-Certificate-Incomplete-Chain-Issues-Fix png , This server\s certificate chain is incomplete Grade capped to B , chain issuesincomplete , Chain issues Incomplete nginx , This servers certificate chain is incomplete nginx , The certificate of ‘cs nginx com’ hasn\t got a known issuer , Chain issues Incomplete fix , Certificates provided 1 (1385 bytes) Chain issues Incomplete nginx , Fix SSL Chain , geotrust certificate chain is incomplete