# SSL: certificate chain too long: chain length exceeds maximum allowed depth

- **ID:** `nginx/ssl-certificate-chain-too-long`
- **Domain:** nginx
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 85%

## Root Cause

The SSL certificate chain provided by the server has more intermediate certificates than the maximum chain depth configured (default 100) or supported by the client.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| nginx/1.24.0 | active | — | — |
| nginx/1.22.1 | active | — | — |
| nginx/1.26.0 | active | — | — |

## Workarounds

1. **Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;** (90% success)
   ```
   Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;
   ```
2. **Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.** (85% success)
   ```
   Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.
   ```
3. **Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).** (70% success)
   ```
   Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).
   ```

## Dead Ends

- **** — This only affects client certificate verification, not server certificate chain length. (80% fail)
- **** — This disables client cert verification, but the server chain length error is from the server cert itself. (75% fail)
- **** — The certificate file itself has too many intermediates; restarting does not change it. (90% fail)