It seems the checkhost service can't check domains with incomplete certificate chains. See e.g.:
Evidently it just returns "unknown: x509: certificate signed by unknown authority".
Is it feasible/possible/worth it to preload it with the X3 intermediate or enable AIA fetching or something?
For numbers, IIRC there's one other post where someone ran into this.
As the “incomplete chain” is another problem that must be resolve, maybe just updating the error message is enough?
Thanks for the reports. I’ll take a look and see if I can make a suitable change to the service.
Only the binary exists on the servers as far find / -type f -name '*.go' can tell. @jsha when you are in for the day, would you mind taking a look please?
I’ve taken a stab at fixing this, and the immediately obvious fix doesn’t appear to be working. I’m going to attend to some other tasks and come back to this in a bit. Thanks so much for reporting!
Okay, I’ve deployed a fix. Please test it out and let me know if it works / doesn’t work!
I figured this was worth fixing because many people's sites may "mostly work" for a lot of users despite a missing intermediate, due to intermediate caching and AIA fetching. Since our goal is to let people know if their visitors will suddenly start seeing errors they didn't see before, I think handling this case is useful.
The site in the OP works now, but I can't think of any other misconfigured sites right now! 
badssl.com uses another CA, and the only other site I could remember got fixed!
I’m optimistically marking this as “solved”, but I hope someone knows another site to check…
I’ve also checked it against my personal site, which I temporarily set up with a broken chain. So I think we can consider it solved. Thanks!
Thank you for taking care of it!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.