Wrong certificate chain order
The server is presenting certificates in the wrong order. Most deployments should send the leaf first, then each issuing intermediate in sequence.
Correct order
- Position 1The leaf certificate for the site hostname.
- Position 2+Each intermediate certificate in issuer order until the final intermediate.
- Do not send firstAn intermediate or root certificate as the first certificate in the bundle.
Common mistake
- Manual concatenationOperators often paste certs in the wrong order while building a bundle or fullchain file.
Verify after change
- Presented chain viewEach certificate issuer should match the next certificate subject.
- Trust resultAuthorization errors related to chain building should disappear if the bundle is otherwise complete.