UNABLE_TO_VERIFY_LEAF_SIGNATURE
The client could not build a complete chain of trust from the server’s certificate up to a trusted root — usually because the server is not sending the intermediate certificate.
Common causes
- The server is configured with the leaf certificate only, omitting the intermediate(s).
- The certificate file is missing the CA bundle / chain.
- The intermediate certificate changed and the deployed bundle is stale.
How to fix it
- 1
Inspect exactly which certificates the server sends — you should see the leaf AND at least one intermediate:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null - 2
Rebuild the served certificate to include the full chain (leaf first, then intermediates). For Nginx,
ssl_certificatemust point atfullchain.pem, notcert.pem. - 3
Reload the server and re-test until the chain validates without
-CAfileworkarounds.
Catch these before your users do
SSLNudge detects UNABLE_TO_VERIFY_LEAF_SIGNATURE and expiry issues daily and alerts you.