# SSL 证书链错误：无法获取本地颁发者证书

- **ID:** `nginx/ssl-certificate-chain-missing-intermediate`
- **领域:** nginx
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

SSL 证书文件未包含中间 CA 证书，导致客户端无法验证证书链。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx 1.24.0 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.20.2 | active | — | — |

## 解决方案

1. ```
   Concatenate the leaf certificate and all intermediate CA certificates into one PEM file (leaf first, then intermediates) and use it in the ssl_certificate directive. Example command: `cat example.com.crt intermediate.crt root.crt > fullchain.pem`
   ```
2. ```
   Use the ssl_trusted_certificate directive to specify the CA chain separately for OCSP stapling, but ensure ssl_certificate still contains the full chain.
   ```
3. ```
   Verify the chain using openssl: `openssl verify -CAfile root.crt -untrusted intermediate.crt example.com.crt`. Fix any missing certificates in the chain.
   ```

## 无效尝试

- **** — The issue is the missing intermediates, not the leaf certificate format. (80% 失败率)
- **** — This is for client certificate authentication, not server certificate chain. (90% 失败率)
- **** — This directive does not exist; nginx will fail to reload. (95% 失败率)