A certificate chain consists of a root certificate, one or more intermediate certificates, and a server certificate. When the chain is incomplete — typically because an intermediate certificate is missing — your browser may report a connection failure or other errors when you access the website.
This page shows how to check whether your certificate chain is complete and how to fix it.
Step 1: Check whether the certificate chain is complete
Run the following command on your server to inspect the certificate chain. You can run this command regardless of whether your website is currently deployed.
openssl s_client -connect <Server_IP>:443 -servername <Domain_Name>Replace the placeholders with your actual values:
| Placeholder | Description |
|---|---|
<Server_IP> | IP address of your server |
<Domain_Name> | Domain name of your website |
Interpreting the output: The following figure shows the expected output for a complete certificate chain. Section 1 is the domain certificate, and Section 2 is the intermediate certificate. If the output shows only Section 1 (the domain certificate), the chain is incomplete.
If the domain certificate and the intermediate certificate are stored in the same file, they must be concatenated in the correct order: the domain certificate first, followed by the intermediate certificate. No blank lines or carriage returns between them.
Step 2: Download and redeploy the certificate
If the chain is incomplete, download the full certificate package and redeploy it.
Log on to the Certificate Management Service console and download the certificate for your server type. For a list of supported server types and download instructions, see Installation overview.
Deploy the certificate based on your environment:
Web server: Follow the server-specific installation steps in Installation overview.
Alibaba Cloud service: Deploy directly from the Certificate Management Service console. For instructions, see Deploy certificates to Alibaba Cloud services.