TLS certificate chain incomplete on livecharts.dev — breaks AI agent tooling #2120
Description
Summary
The server at livecharts.dev is not sending the intermediate CA certificate in the TLS handshake. This causes programmatic clients to fail with unable to verify the first certificate, including AI coding agent tools (Claude Code, GitHub Copilot, Cursor, etc.) that fetch documentation to assist developers.
Impact
AI coding agents that use web fetch tools to read LiveCharts2 documentation at livecharts.dev get a TLS error and cannot access any page on the site. This means agents cannot look up API references, chart examples, or installation instructions while helping developers integrate LiveCharts2 — forcing manual workarounds like cloning the repo source code.
Other affected clients:
- Node.js
fetch/https - .NET
HttpClient(default config) curl(without-k)- Python
requests - CI/CD pipelines
Desktop browsers are typically unaffected because they can work around the issue via AIA fetching (downloading the missing intermediate certificate on-the-fly).
Diagnosis
The certificate chain served by livecharts.dev (74.208.85.126) contains only 1 certificate (the leaf). The required intermediate is missing:
| # | Certificate | Issuer |
|---|---|---|
| 0 (served) | CN=*.livecharts.dev |
Sectigo Public Server Authentication CA DV R36 |
| 1 (missing) | Sectigo Public Server Authentication CA DV R36 | Sectigo Public Server Authentication Root R46 |
OpenSSL output:
Verification error: unable to verify the first certificate (error 21)
Certificate chain:
0 s:CN=*.livecharts.dev
i:C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36
The leaf certificate itself is valid (RSA 2048-bit, valid Aug 18 2025 – Aug 24 2026). When the intermediate is manually supplied, the chain verifies successfully — confirming this is a server configuration issue, not a certificate issue.
The intermediate certificate is available at:
http://crt.sectigo.com/SectigoPublicServerAuthenticationCADVR36.crt
Fix
Concatenate the intermediate certificate into the server's SSL certificate bundle. For most web servers this means combining the leaf cert and intermediate cert into a single PEM
file:
-----BEGIN CERTIFICATE-----
(leaf: *.livecharts.dev)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate: Sectigo Public Server Authentication CA DV R36)
-----END CERTIFICATE-----
The exact configuration depends on the web server software (nginx: ssl_certificate, Apache: SSLCertificateChainFile or combined in SSLCertificateFile, IIS: import intermediate into Intermediate Certification Authorities store).
Verification
After fixing, this command should show Verify return code: 0 (ok):
echo | openssl s_client -connect livecharts.dev:443 -servername livecharts.dev 2>&1 | grep "Verify return code"
## Environment
This issue was encountered issue by Claude Code CLI on Mac.