What is wrong with my SSL trust chain?

Solution 1:

A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.

You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.

You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver

Solution 2:

You have configured your server to only send the certificate to browsers. For most desktop browsers, this is fine because they already contain a whole lot of intermediate and root CA details, so they can construct the chain of trust easily. For most mobile browsers you generally need to provide the entire certificate chain, i.e. your own certificate, that of the issuing CA and any intermediates that might exist between that and the ultimate root CA. The mobile device will likely have the root CA details only in this scenario.

For you specific cert, you can read this Comodo helpdesk article: Knowledgebase : Comodo Certification Authority > Certificates > SSL > Certificate Installation