Incomplete chain when using NGINX 1.8.0 and 1.9.9


Ubuntu 14.04 (3.13.0-24-generic)
NOTE: When using NGINX 1.4.6 with this same config, I am able to get an A+ on SSL Labs.

When using NGINX 1.8.0 (stable) and 1.9.9 (development), I get “Chain issues - Incomplete” on SSL Labs with the same config file I’ve been using. Why is this happening? Is this a Let’s Encrypt cert signing issue?

NOTE: In my config, there is one line specifically changed when using 1.4.6 vs the others:
listen 443 ssl spdy;. spdy is not compatible with 1.9.9 and 1.4.6 doesn’t support http2. From what I’ve seen, this has no bearing on the certificate issue.

server {
    listen 80;
    listen 443 ssl http2;


    keepalive_timeout 70;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/;
    ssl_certificate_key /etc/letsencrypt/live/;
    ssl_trusted_certificate /etc/letsencrypt/live/;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    # ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    # resolver valid=300s;
    # resolver valid=1s;
    # resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    access_log /var/log/nginx/;
    error_log /var/log/nginx/;

    location / {

What do you think is causing this issue?


I would recommend setting ssl_certificate to fullchain.pem and removing ssl_trusted_certificate. The latter is only needed when you want to verify client certificates (and most people don’t need that). According to the documentation, the intermediate certificate in fullchain.pem provided to ssl_certificate will also suffice for OCSP stapling.

The documentation on ssl_trusted_certificate says it doesn’t send the intermediate to the client.

Why the same configuration did work with your previous versions, I don’t know. I also don’t know if nginx has different manuals for different versions like Apache does, so you could compare different behaviour of the commands.


Looks like swapping those certs did it for me! Awesome thanks :).

Since I’m having an issue w/ OCSP (w/ this config) and wanted to make it easy to find for someone else, I posted another thread here: NGINX OCSP not responding