How do you fix an incomplete SSL chain

Following up on zakjan's answer, I had a problem when I tried to use jquery to do an AJAX request on my newly secure server, in an android webview. It worked in the browser, but not in my app.

I used this site: https://certificatechain.io/

I pasted in the text of my signed .crt file I got back from Comodo (positiveSSL), and it gave me back a concatination of everything I needed. I saved it as my domain + "chain.crt" (see below)

Then, in my apache configs, I entered something like this for that particular virtual host:

SSLEngine On
SSLCertificateFile /etc/ssl/localcerts/example_com.crt
SSLCertificateKeyFile /etc/ssl/localcerts/example.com.key
SSLCACertificateFile /etc/ssl/localcerts/example.com.chain.crt

After that, my Android app's webview did not have a problem using ajax to POST to my server. I tried it on 2 real-world devices, one running 2.3.4, one running 4.something. And on the emulator running 2.3. All worked.

I hope this helps.

The chain was in crt file, that the original SSL was working off.

For GoDaddy there is a 2nd cert - gd_bundle.crt

Copy this info and add it to the crt installed on the server.

So the original crt on the server had 1 certificate, and after it will have 3 on the same file. This is the chain.

I still got contains anchor in chain issues on ssllabs.com but this is not an issue, just an option to leave in or out - according to - https://security.stackexchange.com/questions/24561/ssltest-chain-issues-contains-anchor/24566#24566

You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.

You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. Btw, I have written a script to automate the procedure, it takes a certificate to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver