# nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/nginx/ssl/cert.pem") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag) - **ID:** `nginx/ssl-pem-format-error` - **Domain:** nginx - **Category:** config_error - **Verification:** ai_generated - **Fix Rate:** 90% ## Root Cause The certificate file is in DER format but nginx expects PEM format, or the PEM file is corrupted with extra whitespace or binary data. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | nginx 1.24.0 | active | — | — | | nginx 1.22.1 | active | — | — | | nginx 1.18.0 | active | — | — | | nginx 1.20.2 | active | — | — | ## Workarounds 1. **Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.** (95% success) ``` Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file. ``` 2. **If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.** (85% success) ``` If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces. ``` 3. **Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.** (90% success) ``` Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx. ``` ## Dead Ends - **** — The error is about file parsing, not trust chain validation. (95% fail) - **** — The error explicitly mentions the certificate file path; the key is a separate directive. (99% fail) - **** — The file content is invalid; a restart will reproduce the same error. (100% fail)