When working with self-signed certificates, what specific Nginx configuration is needed to avoid "unable to verify the first certificate" errors on the client-side?

When Nginx serves a self-signed certificate, client browsers or applications will naturally report "unable to verify" errors because the certificate is not signed by a Certificate Authority (CA) trusted by default. This is expected behavior. **Solutions for Client-Side Trust (No Nginx config change):** 1. **Manual Installation:** Distribute your self-signed certificate (or the CA certificate that signed it, if you have a private CA) to all clients and instruct them to manually add it to their operating system's or browser's trusted certificate store. 2. **Private CA:** If you operate a private CA, clients will need to trust your private CA's root certificate. **If Nginx is a client (reverse proxy) and connecting to a backend with a self-signed cert:** * Use `proxy_ssl_trusted_certificate /path/to/self_signed_cert.pem;` (or the custom CA that signed it) to explicitly tell Nginx to trust that certificate for the backend connection. For public-facing services, obtaining a certificate from a public CA (e.g., Let's Encrypt) is always the recommended approach.