Introduction
Transport Layer Security (TLS) certificates enable encrypted connections between clients and servers. Certificate validation ensures the server's identity through a chain of trust from the server certificate through intermediate certificates to a root certificate authority trusted by the client's browser or operating system. When this validation fails, clients reject connections with security warnings or outright failures.
Expired certificates and incomplete certificate chains are two distinct but often confused failure modes. An expired certificate has passed its validity dates—the notAfter field in the certificate defines the expiration moment. An incomplete chain means the server presents a certificate without the necessary intermediate certificates that connect it to a trusted root, resulting in "unable to get local issuer certificate" errors.
Both issues cause browsers to display security warnings, API clients to fail with certificate errors, and automated systems to reject connections. Understanding the difference—and diagnosing which problem affects your server—is essential for implementing the correct fix. Simply checking local files is insufficient; the live endpoint must be tested to see what clients actually receive.
Symptoms
When SSL certificate expiration or chain validation fails, you will observe these symptoms:
- Browser security warnings: "Your connection is not private" or "Certificate expired"
curlandwgetfail with certificate validation errors- API clients reject connections with SSL/TLS handshake failures
- Some clients work while others fail (due to cached intermediates)
- Certificate renewal completed but endpoint still serves old certificate
- Mixed clients behavior—mobile apps fail while desktop browsers work
- Monitoring systems alert on certificate expiration
- Internal services cannot connect to HTTPS endpoints
Common browser error messages:
Chrome: "NET::ERR_CERT_DATE_INVALID"
Chrome: "NET::ERR_CERT_AUTHORITY_INVALID"
Firefox: "SEC_ERROR_EXPIRED_CERTIFICATE"
Firefox: "SEC_ERROR_UNKNOWN_ISSUER"
Safari: "This certificate has expired"
Safari: "This certificate was not signed by a trusted authority"
Edge: "DLG_FLAGS_SEC_CERT_DATE_INVALID"Command-line client errors:
```bash curl https://example.com # Output: curl: (60) SSL certificate problem: certificate has expired curl: (35) SSL certificate problem: unable to get local issuer certificate curl: (51) SSL: no alternative certificate subject name matches target host name 'example.com'
wget https://example.com # Output: ERROR: cannot verify example.com's certificate, issued by 'CN=Example CA' Unable to locally verify the issuer's authority ERROR: certificate common name 'old.example.com' doesn't match requested host name 'example.com' ```
OpenSSL s_client output:
CONNECTED(00000003)
depth=0 CN = example.com
verify error:num=10:certificate has expired
verify return:1
depth=0 CN = example.com
verify error:num=20:unable to get local issuer certificate
verify return:0Common Causes
Several factors cause SSL certificate expiration and chain validation failures:
- 1.Certificate renewal not applied: The certificate was renewed on disk but the web server, proxy, or load balancer hasn't reloaded the new certificate file.
- 2.Expired certificate on disk: The certificate file itself has expired because renewal automation failed or was never configured.
- 3.Incomplete certificate chain: The server presents only the leaf certificate without intermediate certificates, breaking the trust chain.
- 4.Wrong intermediate certificate: After renewal, the intermediate certificate changed (e.g., Let's Encrypt changed intermediates), but server still uses old intermediate.
- 5.Mixed certificate nodes: In clustered or load-balanced deployments, some nodes serve the new certificate while others still serve the old one.
- 6.Certificate file path errors: Configuration references wrong certificate file path, serving an old or placeholder certificate.
- 7.CDN or proxy configuration outdated: Traffic passes through CDN or reverse proxy that hasn't updated its certificate configuration.
- 8.Client missing root certificates: Old clients or systems haven't updated their trusted root certificate store (less common for modern CA certificates).
- 9.Time synchronization issues: Server or client clock is incorrect, causing valid certificates to appear expired.
Step-by-Step Fix
Follow these steps to diagnose and resolve SSL certificate issues:
Step 1: Check the live certificate being served
Test what clients actually receive from the endpoint:
```bash # Check certificate dates and issuer echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -issuer -subject
# Output for expired certificate: issuer=C = US, O = Let's Encrypt, CN = R3 subject=CN = example.com notBefore=Jan 15 00:00:00 2025 GMT notAfter=Apr 15 00:00:00 2025 GMT # Expired
# Output for missing intermediate: issuer=C = US, O = DigiCert, CN = DigiCert TLS RSA SHA256 2020 CA1 # If issuer not in client's trust store, chain incomplete
# Check full certificate chain echo | openssl s_client -connect example.com:443 -servername example.com -showcerts 2>/dev/null | grep -E "depth|subject|issuer" ```
Step 2: Check certificate validity dates
Verify the certificate expiration:
```bash # Get certificate expiration date echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate
# Output: notAfter=Apr 15 00:00:00 2026 GMT
# Calculate days until expiration EXPIRY=$(echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2) DAYS=$(( ( $(date -d "$EXPIRY" +%s) - $(date +%s) ) / 86400 )) echo "Certificate expires in $DAYS days"
# If negative days, certificate has expired ```
Step 3: Verify the local certificate file
Check the certificate file on disk:
```bash # Check certificate file dates openssl x509 -in /etc/nginx/ssl/server.crt -noout -dates -issuer -subject
# Compare with live certificate # If different, server hasn't reloaded
# Check certificate chain file openssl x509 -in /etc/nginx/ssl/fullchain.pem -noout -dates -issuer -subject
# For Let's Encrypt, check renewal status certbot certificates
# Output: Certificate Name: example.com Expiry Date: 2026-04-15 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem ```
Step 4: Verify the certificate chain completeness
Test chain validation:
```bash # Verify chain against system CA store openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/nginx/ssl/server.crt
# Output for incomplete chain: C = US, CN = example.com error 20 at 0 depth lookup: unable to get local issuer certificate
# Verify with full chain openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/nginx/ssl/fullchain.pem
# Output for complete chain: /etc/nginx/ssl/fullchain.pem: OK
# Check chain depth openssl verify -verbose -CApath /etc/ssl/certs/ /etc/nginx/ssl/fullchain.pem ```
Step 5: Check intermediate certificates
Verify correct intermediate is used:
```bash # Extract intermediate from chain openssl x509 -in /etc/nginx/ssl/chain.pem -noout -issuer -subject
# For Let's Encrypt, current intermediate is R4 (RSA) or E1 (ECDSA) # Check if using outdated R3 intermediate
# Download correct intermediate wget https://letsencrypt.org/certs/lets-encrypt-r4.pem -O /etc/nginx/ssl/chain.pem
# Build full chain cat /etc/nginx/ssl/cert.pem /etc/nginx/ssl/chain.pem > /etc/nginx/ssl/fullchain.pem ```
Step 6: Renew expired certificate
If certificate is expired, renew it:
```bash # For Certbot/Let's Encrypt certbot renew
# Dry run first certbot renew --dry-run
# Force renewal if needed certbot renew --force-renewal
# For specific certificate certbot certonly --force-renewal -d example.com
# Check renewal status certbot certificates
# Verify new certificate on disk openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -noout -dates ```
Step 7: Reload web server configuration
Ensure server loads new certificate:
```bash # For Nginx nginx -t # Test configuration systemctl reload nginx
# For Apache apachectl configtest systemctl reload apache2
# For HAProxy systemctl reload haproxy
# For direct OpenSSL reload # Some services need full restart systemctl restart nginx
# Verify reload applied echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates # Dates should reflect new certificate ```
Step 8: Fix configuration for full chain
Configure server to serve complete chain:
```nginx # Nginx configuration - use fullchain, not just cert server { listen 443 ssl; server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # NOT cert.pem ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; } ```
# Apache configuration
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>Step 9: Check clustered deployments
Verify all nodes serve correct certificate:
```bash # Check each load balancer node for node in lb1 lb2 lb3; do echo "Checking $node:" ssh $node "openssl x509 -in /etc/nginx/ssl/fullchain.pem -noout -dates" done
# Ensure all nodes show same dates # If different, sync certificate files across nodes
# Sync certificates across cluster rsync -av /etc/letsencrypt/live/example.com/ lb2:/etc/letsencrypt/live/example.com/ ssh lb2 "systemctl reload nginx" ```
Verification
After fixing certificate issues, verify the endpoint works:
```bash # Test with curl (should succeed) curl -I https://example.com
# Expected output: HTTP/2 200 server: nginx
# Verify certificate details echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -issuer
# Expected valid dates: notBefore=Jan 15 00:00:00 2026 GMT notAfter=Apr 15 00:00:00 2026 GMT
# Verify chain openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /etc/nginx/ssl/fullchain.pem # Output: OK
# Test with OpenSSL verify at full depth echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | grep "Verify return" # Expected: Verify return code: 0 (ok) ```
Browser verification:
Chrome: Click certificate icon in address bar > Connection is secure
Firefox: Click lock icon > Connection secure > More information > View Certificate
Safari: Click lock icon > Show CertificatePrevention
To prevent SSL certificate expiration and chain validation failures:
- 1.Monitor certificate expiration externally: Set up external monitoring that checks the live endpoint.
# Simple monitoring script
#!/bin/bash
EXPIRY=$(echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
DAYS=$(( ( $(date -d "$EXPIRY" +%s) - $(date +%s) ) / 86400 ))
if [ "$DAYS" -lt 30 ]; then
echo "Certificate expires in $DAYS days" | mail -s "SSL Alert" admin@example.com
fi- 1.Configure automatic certificate renewal: Use Certbot with automatic renewal.
```bash # Enable Certbot auto-renewal certbot renew --dry-run # Test first
# Add renewal hook to reload services certbot renew --deploy-hook "systemctl reload nginx"
# Set up cron job crontab -e # Add: 0 0 * * * certbot renew --quiet --deploy-hook "systemctl reload nginx" ```
- 1.Use fullchain certificate files: Always configure servers to use the full chain file.
```nginx # Correct: Use fullchain ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
# Wrong: Use only leaf certificate ssl_certificate /etc/letsencrypt/live/example.com/cert.pem; ```
- 1.Implement certificate deployment automation: Automate certificate sync across all nodes.
# Certificate sync script
#!/bin/bash
for node in lb1 lb2 lb3; do
rsync -av /etc/letsencrypt/live/ $node:/etc/letsencrypt/live/
ssh $node "systemctl reload nginx"
done- 1.Test after renewal: Verify the live endpoint serves new certificate immediately after renewal.
certbot renew
systemctl reload nginx
sleep 5
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates- 1.Document certificate paths: Maintain clear documentation of certificate file locations.
## Certificate Configuration
- Certificate: /etc/letsencrypt/live/example.com/fullchain.pem
- Key: /etc/letsencrypt/live/example.com/privkey.pem
- Renewal: Certbot cron at midnight
- Reload: systemctl reload nginx
- Monitoring: External check at checkssl.example.com- 1.Use certificate monitoring services: Deploy external monitoring that alerts before expiration.
- Uptime monitoring services (UptimeRobot, Pingdom)
- SSL-specific monitors (SSL Labs, SSL Checker)
- Internal monitoring with Prometheus exporters
Related Articles
- [SSL certificate troubleshooting: Fix Certificate And Private Key Do Not Match Issue](certificate-and-private-key-do-not-match)
- [Fix Fix Acme Account Still Using Old DNS Provider Credentials After Migration Issue in SSL](fix-acme-account-still-using-old-dns-provider-credentials-after-migration)
- [Fix Fix Acme Challenge Returning 404 Issue in SSL](fix-acme-challenge-returning-404)
- [Fix Fix Acme Http 01 Challenge Failing Due To Redirect Issue in SSL](fix-acme-http-01-challenge-failing-due-to-redirect)
- [Fix Fix Apache Too Many Redirects After SSL Issue in SSL](fix-apache-too-many-redirects-after-ssl)
<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "SSL Certificate Expired or Chain Validation Failed", "description": "Resolve SSL certificate expired and chain validation errors by checking the live certificate dates, deploying the full chain, and verifying the served certificate after renewal.", "url": "https://www.fixwikihub.com/ssl-certificate-expired-chain-validation-failed", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-01-22T23:33:56.432Z", "dateModified": "2026-01-22T23:33:56.432Z" } </script>