Introduction
SSL certificate chain issues cause browsers to show certificate warnings. This guide explains certificate chain validation and proper Nginx SSL configuration.
Symptoms
- 'SSL certificate problem: unable to get local issuer certificate'
- Chain incomplete warnings in SSL labs
- Some browsers showing warnings while others work
- curl failing with certificate verification errors
Step-by-Step Fix
- 1.Verify certificate chain:
- 2.```bash
- 3.openssl s_client -connect example.com:443 -servername example.com
- 4.openssl verify -CAfile ca-bundle.crt certificate.crt
- 5.
` - 6.Combine certificate with intermediate CA:
- 7.```bash
- 8.cat certificate.crt intermediate.crt > combined.crt
- 9.# Order matters: your cert first, then intermediates, root last (optional)
- 10.
` - 11.Configure Nginx properly:
- 12.```nginx
- 13.server {
- 14.listen 443 ssl http2;
- 15.ssl_certificate /etc/nginx/ssl/combined.crt;
- 16.ssl_certificate_key /etc/nginx/ssl/private.key;
- 17.ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;
- 18.}
- 19.
`