Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin
April 06, 2015 03:22PM
Hello!

On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote:

> My web server is intentionally set up to only support virtual hosts and TLS
> SNI. I know that the latter eliminates some ancient web browsers but I
> don't care about those browsers.
>
> I want to enable OCSP stapling and it seems to be configured correctly in my
> test vhost (everything else about SSL already works fine - I get an A on the
> Qualys SSL Labs test) and there are no errors or warnings but "openssl
> s_client" always returns:
>
> "OCSP response: no response sent"
>
> Yes, I ran the s_client command multiple times to account for the nginx
> responder delay. I was testing OCSP stapling on just one of my domains.
> Then I read that the 'default_server' SSL server also has to have OCSP
> stapling enabled for vhost OCSP stapling to work:
>
> https://gist.github.com/konklone/6532544

There is no such a requirement.

> This is a huge problem if I want to enable OCSP for my vhosts because my
> 'default_server' certificate is self-signed (intentional) and running
> 'configtest' with 'ssl_stapling' options on the default server, of course,
> results in a warning:
>
> "nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"
>
> Which indicates that it isn't enabled on the default server and subsequent
> s_client tests (after reloading the config, which, of course, issued the
> same warning a second time) on the test vhost confirm that there was still
> no OCSP stapling. It was a long-shot in the first place.

This warning indicates that you've tried to enable OCSP Stapling
for a server with a certificate whose issuer certificate cannot be
found, therefore the "ssl_stapling" directive was ignored for the
server. To avoid seeing the warning on each start, consider
switching off ssl_stapling for the server{} block in question.

> So how do I enable OCSP stapling for my vhosts when the default server cert
> is self-signed? This seems like a potential bug in the nginx SSL module.

Just enable ssl_stapling in appropriate server{} blocks.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 83
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready