{ "id": "nginx/ssl-certificate-chain-missing-intermediate", "signature": "SSL: certificate chain error: unable to get local issuer certificate", "signature_zh": "SSL 证书链错误:无法获取本地颁发者证书", "regex": "unable to get local issuer certificate", "domain": "nginx", "category": "config_error", "subcategory": null, "root_cause": "The SSL certificate file does not include the intermediate CA certificates, causing clients to fail verifying the chain.", "root_cause_type": "generic", "root_cause_zh": "SSL 证书文件未包含中间 CA 证书,导致客户端无法验证证书链。", "versions": [ { "version": "nginx 1.24.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.22.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.20.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The issue is the missing intermediates, not the leaf certificate format.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "This is for client certificate authentication, not server certificate chain.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "This directive does not exist; nginx will fail to reload.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`", "success_rate": 0.9, "how": "Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`", "condition": "", "sources": [] }, { "action": "Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.", "success_rate": 0.85, "how": "Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.", "condition": "", "sources": [] }, { "action": "Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.", "success_rate": 0.9, "how": "Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`", "Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.", "Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://nginx.org/en/docs/http/configuring_https_servers.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2024-05-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }