# SSL: certificate chain error: unable to get local issuer certificate - **ID:** `nginx/ssl-certificate-chain-missing-intermediate` - **Domain:** nginx - **Category:** config_error - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The SSL certificate file does not include the intermediate CA certificates, causing clients to fail verifying the chain. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | nginx 1.24.0 | active | — | — | | nginx 1.22.1 | active | — | — | | nginx 1.20.2 | active | — | — | ## Workarounds 1. **Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`** (90% success) ``` Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem` ``` 2. **Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.** (85% success) ``` Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain. ``` 3. **Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.** (90% success) ``` Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain. ``` ## Dead Ends - **** — The issue is the missing intermediates, not the leaf certificate format. (80% fail) - **** — This is for client certificate authentication, not server certificate chain. (90% fail) - **** — This directive does not exist; nginx will fail to reload. (95% fail)