# nginx: [emerg] SSL_CTX_use_certificate_chain_file("/etc/nginx/ssl/cert.pem") 失败 (SSL: error:0D0680A8:asn1编码例程:ASN1_CHECK_TLEN:错误标签)

- **ID:** `nginx/ssl-pem-format-error`
- **领域:** nginx
- **类别:** config_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

证书文件是 DER 格式，但 nginx 期望 PEM 格式，或者 PEM 文件包含额外空格或二进制数据而损坏。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx 1.24.0 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.18.0 | active | — | — |
| nginx 1.20.2 | active | — | — |

## 解决方案

1. ```
   Convert the certificate from DER to PEM using OpenSSL: 'openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM' then replace the file.
   ```
2. ```
   If the file is PEM but corrupted, regenerate it by concatenating the certificate chain in correct order: 'cat server.crt intermediate.crt root.crt > /etc/nginx/ssl/cert.pem' and ensure no extra spaces.
   ```
3. ```
   Validate the PEM file with 'openssl x509 -in /etc/nginx/ssl/cert.pem -text -noout' to check for parsing errors before reloading nginx.
   ```

## 无效尝试

- **** — The error is about file parsing, not trust chain validation. (95% 失败率)
- **** — The error explicitly mentions the certificate file path; the key is a separate directive. (99% 失败率)
- **** — The file content is invalid; a restart will reproduce the same error. (100% 失败率)