nginx
config_error
ai_generated
true
nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/nginx/ssl/cert.pem") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag)
ID: nginx/ssl-pem-format-error
90%Fix Rate
87%Confidence
1Evidence
2024-01-08First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.18.0 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
Root Cause
The certificate file is in DER format but nginx expects PEM format, or the PEM file is corrupted with extra whitespace or binary data.
generic中文
证书文件是 DER 格式,但 nginx 期望 PEM 格式,或者 PEM 文件包含额外空格或二进制数据而损坏。
Official Documentation
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificateWorkarounds
-
95% success Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.
Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.
-
85% success If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.
If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.
-
90% success Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.
Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.
中文步骤
Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.
If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.
Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.
Dead Ends
Common approaches that don't work:
-
95% fail
The error is about file parsing, not trust chain validation.
-
99% fail
The error explicitly mentions the certificate file path; the key is a separate directive.
-
100% fail
The file content is invalid; a restart will reproduce the same error.