nginx
config_error
ai_generated
true
SSL 证书链错误:无法获取本地颁发者证书
SSL: certificate chain error: unable to get local issuer certificate
ID: nginx/ssl-certificate-chain-missing-intermediate
90%修复率
88%置信度
1证据数
2024-05-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
根因分析
SSL 证书文件未包含中间 CA 证书,导致客户端无法验证证书链。
English
The SSL certificate file does not include the intermediate CA certificates, causing clients to fail verifying the chain.
官方文档
https://nginx.org/en/docs/http/configuring_https_servers.html解决方案
-
Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`
-
Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.
-
Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.
无效尝试
常见但无效的做法:
-
80% 失败
The issue is the missing intermediates, not the leaf certificate format.
-
90% 失败
This is for client certificate authentication, not server certificate chain.
-
95% 失败
This directive does not exist; nginx will fail to reload.