Keywords: SSL Certificate | Certificate Chain Verification | nginx Configuration | Intermediate Certificate | OpenSSL Diagnosis
Abstract: This article provides a comprehensive analysis of the common 'unable to get local issuer certificate' error in SSL/TLS configuration. Through practical case studies, it reveals the root causes of certificate chain verification failures. The paper elaborates on the role of intermediate certificates, correct methods for building certificate chains, and provides specific configuration solutions for nginx servers. It also examines differences in certificate validation across browsers and technical details of using OpenSSL tools for diagnosis.
Analysis of SSL Certificate Chain Verification Mechanism
In SSL/TLS communication, certificate chain verification is a critical component for ensuring secure communication. When a client connects to an HTTPS-enabled server, it performs a complete certificate validation process, including verifying certificate validity, checking the issuer chain, and confirming root certificate trustworthiness.
Error Phenomenon and Root Causes
In practical deployments, a typical error frequently encountered is:
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trustedThese errors indicate that the client cannot find the intermediate or root certificates required to validate the server certificate in the local certificate store. The core issue lies in an incomplete or misconfigured certificate chain.
Certificate Chain Construction Principles
Proper certificate chain construction should follow the complete path from the end-entity certificate to the root certificate. Taking GlobalSign AlphaSSL as an example, the complete certificate chain should include:
End-entity certificate → AlphaSSL intermediate certificate → GlobalSign root certificateIn nginx configuration, the certificate chain file should be concatenated in the correct order:
cat mysite.ca.crt intermediate.crt > mysite.ca.chained.crtSpecial Considerations for SHA256 Certificates
Modern SSL certificates commonly use the SHA256 algorithm, which requires matching intermediate certificates. If incompatible intermediate certificates are used, even with a seemingly complete chain, verification will fail. The correct approach is to obtain intermediate certificates that match the certificate algorithm:
wget http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crtnginx Configuration Optimization
In the nginx configuration file, beyond specifying the correct certificate file paths, attention should be paid to other relevant parameters:
ssl_certificate /usr/local/nginx/priv/mysite.ca.chained.crt;
ssl_certificate_key /usr/local/nginx/priv/mysite.ca.key;
ssl_verify_depth 2;The ssl_verify_depth parameter controls the depth of certificate chain verification; for a typical three-level certificate chain, setting it to 2 is appropriate.
Browser Compatibility Differences
Different browsers handle certificate validation differently. Chrome and Safari may be more lenient with incomplete certificate chains, while Firefox typically enforces stricter validation. This difference explains why certificates might validate in some browsers but fail in others.
Using OpenSSL Diagnostic Tools
The OpenSSL s_client tool can be used for in-depth certificate diagnostics:
openssl s_client -connect example.com:443 -showcertsThis command displays complete certificate chain information, helping to identify missing intermediate certificates.
System Certificate Store Management
In Debian systems, the update-ca-certificates command can be used to update the system certificate store. However, it's important to note that this method primarily affects system-level certificate validation; for certificate chain configuration in specific services like nginx, correct specification in the service configuration file is still required.
Best Practice Recommendations
To avoid certificate chain verification issues, it is recommended to follow these best practices: ensure the use of intermediate certificates that match the certificate algorithm; concatenate certificates in the correct order within the certificate chain file; regularly verify the integrity of the certificate chain; conduct compatibility testing across different browsers and devices.
Troubleshooting Process
When encountering certificate verification problems, it is advisable to follow this troubleshooting process: verify the integrity of the certificate chain; check the correctness of intermediate certificates; confirm updates to the system certificate store; use tools for detailed diagnosis; refer to documentation and resources provided by the certificate authority.