{ "id": "nginx/ssl-certificate-chain-too-long", "signature": "SSL: certificate chain too long: chain length exceeds maximum allowed depth", "signature_zh": "SSL 证书链过长:链长度超过允许的最大深度", "regex": "SSL: certificate chain too long: chain length exceeds maximum allowed depth", "domain": "nginx", "category": "auth_error", "subcategory": null, "root_cause": "The SSL certificate chain provided by the server has more intermediate certificates than the maximum chain depth configured (default 100) or supported by the client.", "root_cause_type": "generic", "root_cause_zh": "服务器提供的 SSL 证书链包含的中间证书数量超过了配置的最大链深度(默认 100)或客户端支持的限制。", "versions": [ { "version": "nginx/1.24.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx/1.22.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx/1.26.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "This only affects client certificate verification, not server certificate chain length.", "fail_rate": 0.8, "condition": "", "sources": [] }, { "action": "", "why_fails": "This disables client cert verification, but the server chain length error is from the server cert itself.", "fail_rate": 0.75, "condition": "", "sources": [] }, { "action": "", "why_fails": "The certificate file itself has too many intermediates; restarting does not change it.", "fail_rate": 0.9, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;", "success_rate": 0.9, "how": "Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;", "condition": "", "sources": [] }, { "action": "Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.", "success_rate": 0.85, "how": "Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.", "condition": "", "sources": [] }, { "action": "Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).", "success_rate": 0.7, "how": "Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).", "condition": "", "sources": [] } ], "workarounds_zh": [ "Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;", "Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.", "Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing)." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://nginx.org/en/docs/http/ngx_http_ssl_module.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.81, "fix_success_rate": 0.85, "resolvable": "true", "first_seen": "2024-08-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }