nginx
config_error
ai_generated
true
nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/nginx/ssl/cert.pem") 失败 (SSL: error:0D0680A8:asn1编码例程:ASN1_CHECK_TLEN:错误标签)
nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/nginx/ssl/cert.pem") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag)
ID: nginx/ssl-pem-format-error
90%修复率
87%置信度
1证据数
2024-01-08首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.18.0 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
根因分析
证书文件是 DER 格式,但 nginx 期望 PEM 格式,或者 PEM 文件包含额外空格或二进制数据而损坏。
English
The certificate file is in DER format but nginx expects PEM format, or the PEM file is corrupted with extra whitespace or binary data.
官方文档
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate解决方案
-
Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.
-
If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.
-
Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.
无效尝试
常见但无效的做法:
-
95% 失败
The error is about file parsing, not trust chain validation.
-
99% 失败
The error explicitly mentions the certificate file path; the key is a separate directive.
-
100% 失败
The file content is invalid; a restart will reproduce the same error.