All Products
Document Center

Certificate Management Service:How do I troubleshoot the issue that the certificate chain of a website is incomplete?

Last Updated:Jan 10, 2024

A certificate chain consists of a root certificate, intermediate certificates, and a server certificate. If a website uses a certificate chain that lacks intermediate certificates or the root certificate, your browser may report a connection failure or other errors when you access the website. This topic describes how to check whether a certificate chain is complete and handle an incomplete certificate chain.

Step 1: Check whether a certificate chain is complete

You can run the following command on your server to check whether the certificate chain of the server is complete. You can run the command on your server regardless of whether your website is deployed.

  • <Server_IP>: Specify the IP address of your server.

  • <Domain_Name>: Specify the domain name of your website.

openssl s_client -connect <Server_IP>:443 -servername <Domain_Name>

The following figure shows the content format of a certificate file. Section 1 shows a domain name certificate, and Section 2 shows an intermediate certificate. If the command output shows only the domain name certificate, the certificate chain is incomplete. 证书链

If the domain name certificate and the intermediate certificate are in the same file, make sure that no spaces or carriage returns exist between the domain name certificate (Section 1) and the intermediate certificate (Section 2).


Step 2: Download the required certificate again and configure the certificate

If your certificate chain is incomplete, you can perform the following steps to download and deploy the required certificate:

  1. Log on to the Certificate Management Service console and download a certificate based on your server type. For more information, see Installation overview.

  2. Deploy the certificate based on your business requirements.