# SSL 证书链过长：链长度超过允许的最大深度

- **ID:** `nginx/ssl-certificate-chain-too-long`
- **领域:** nginx
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

服务器提供的 SSL 证书链包含的中间证书数量超过了配置的最大链深度（默认 100）或客户端支持的限制。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx/1.24.0 | active | — | — |
| nginx/1.22.1 | active | — | — |
| nginx/1.26.0 | active | — | — |

## 解决方案

1. ```
   Reconstruct the certificate chain to include only necessary intermediates using openssl: cat server.crt intermediate.crt root.crt > fullchain.crt; then use ssl_certificate /path/to/fullchain.crt;
   ```
2. ```
   Remove redundant intermediate certificates from the chain file, keeping only the leaf and one intermediate if needed.
   ```
3. ```
   Use a certificate authority that provides a shorter chain (e.g., Let's Encrypt with cross-signing).
   ```

## 无效尝试

- **** — This only affects client certificate verification, not server certificate chain length. (80% 失败率)
- **** — This disables client cert verification, but the server chain length error is from the server cert itself. (75% 失败率)
- **** — The certificate file itself has too many intermediates; restarting does not change it. (90% 失败率)