{ "id": "nginx/ssl-pem-format-error", "signature": "nginx: [emerg] SSL_CTX_use_certificate_chain_file(\"/etc/nginx/ssl/cert.pem\") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag)", "signature_zh": "nginx: [emerg] SSL_CTX_use_certificate_chain_file(\"/etc/nginx/ssl/cert.pem\") 失败 (SSL: error:0D0680A8:asn1编码例程:ASN1_CHECK_TLEN:错误标签)", "regex": "SSL_CTX_use_certificate_chain_file.*failed \\(SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag\\)", "domain": "nginx", "category": "config_error", "subcategory": null, "root_cause": "The certificate file is in DER format but nginx expects PEM format, or the PEM file is corrupted with extra whitespace or binary data.", "root_cause_type": "generic", "root_cause_zh": "证书文件是 DER 格式,但 nginx 期望 PEM 格式,或者 PEM 文件包含额外空格或二进制数据而损坏。", "versions": [ { "version": "nginx 1.24.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.22.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.18.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.20.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The error is about file parsing, not trust chain validation.", "fail_rate": 0.95, "condition": "", "sources": [] }, { "action": "", "why_fails": "The error explicitly mentions the certificate file path; the key is a separate directive.", "fail_rate": 0.99, "condition": "", "sources": [] }, { "action": "", "why_fails": "The file content is invalid; a restart will reproduce the same error.", "fail_rate": 1.0, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.", "success_rate": 0.95, "how": "Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.", "condition": "", "sources": [] }, { "action": "If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.", "success_rate": 0.85, "how": "If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.", "condition": "", "sources": [] }, { "action": "Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.", "success_rate": 0.9, "how": "Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.", "If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.", "Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2024-01-08", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }