nginx
auth_error
ai_generated
true
SSL: certificate chain too long: chain length exceeds maximum allowed depth
ID: nginx/ssl-certificate-chain-too-long
85%Fix Rate
81%Confidence
1Evidence
2024-08-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| nginx/1.24.0 | active | — | — | — |
| nginx/1.22.1 | active | — | — | — |
| nginx/1.26.0 | active | — | — | — |
Root Cause
The SSL certificate chain provided by the server has more intermediate certificates than the maximum chain depth configured (default 100) or supported by the client.
generic中文
服务器提供的 SSL 证书链包含的中间证书数量超过了配置的最大链深度(默认 100)或客户端支持的限制。
Official Documentation
https://nginx.org/en/docs/http/ngx_http_ssl_module.htmlWorkarounds
-
90% success Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;
Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;
-
85% success Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.
Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.
-
70% success Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).
Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).
中文步骤
Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;
Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.
Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).
Dead Ends
Common approaches that don't work:
-
80% fail
This only affects client certificate verification, not server certificate chain length.
-
75% fail
This disables client cert verification, but the server chain length error is from the server cert itself.
-
90% fail
The certificate file itself has too many intermediates; restarting does not change it.