nginx
config_error
ai_generated
true
SSL: certificate chain error: unable to get local issuer certificate
ID: nginx/ssl-certificate-chain-missing-intermediate
90%Fix Rate
88%Confidence
1Evidence
2024-05-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
Root Cause
The SSL certificate file does not include the intermediate CA certificates, causing clients to fail verifying the chain.
generic中文
SSL 证书文件未包含中间 CA 证书,导致客户端无法验证证书链。
Official Documentation
https://nginx.org/en/docs/http/configuring_https_servers.htmlWorkarounds
-
90% success Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`
Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`
-
85% success Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.
Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.
-
90% success Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.
Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.
中文步骤
Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`
Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.
Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.
Dead Ends
Common approaches that don't work:
-
80% fail
The issue is the missing intermediates, not the leaf certificate format.
-
90% fail
This is for client certificate authentication, not server certificate chain.
-
95% fail
This directive does not exist; nginx will fail to reload.