A Chinese developer recently encountered a puzzling SSL issue: a certificate worked perfectly on nginx but failed on Kestrel, ASP.NET Core's cross-platform web server. The problem emerged when updating SSL certificates for a project using CYarp, which exposes Kestrel as an external gateway. While browsers accepted the new certificate, client devices—likely with limited or customized trust stores—rejected it. The author systematically compared Kestrel and nginx behavior, discovering that Kestrel performs stricter certificate chain validation by default. This includes verifying intermediate certificates and trust anchors more rigorously than nginx, which often accepts chains that Kestrel deems incomplete. The post provides practical debugging steps, such as inspecting the certificate chain with OpenSSL and adjusting Kestrel's validation settings via the `KestrelServerOptions` configuration. For .NET developers deploying Kestrel in edge or gateway roles, this is a critical reminder to test SSL trust across all client types, not just browsers. The root cause is not a bug but a design difference: Kestrel prioritizes security over compatibility, which can break connections from older or embedded clients.
A real-world debugging case reveals Kestrel's SSL certificate chain validation differs from nginx, causing trust failures in constrained client environments.