nginx
auth_error
ai_generated
true
SSL 证书链过长:链长度超过允许的最大深度
SSL: certificate chain too long: chain length exceeds maximum allowed depth
ID: nginx/ssl-certificate-chain-too-long
85%修复率
81%置信度
1证据数
2024-08-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx/1.24.0 | active | — | — | — |
| nginx/1.22.1 | active | — | — | — |
| nginx/1.26.0 | active | — | — | — |
根因分析
服务器提供的 SSL 证书链包含的中间证书数量超过了配置的最大链深度(默认 100)或客户端支持的限制。
English
The SSL certificate chain provided by the server has more intermediate certificates than the maximum chain depth configured (default 100) or supported by the client.
官方文档
https://nginx.org/en/docs/http/ngx_http_ssl_module.html解决方案
-
Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;
-
Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.
-
Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).
无效尝试
常见但无效的做法:
-
80% 失败
This only affects client certificate verification, not server certificate chain length.
-
75% 失败
This disables client cert verification, but the server chain length error is from the server cert itself.
-
90% 失败
The certificate file itself has too many intermediates; restarting does not change it.