Welcome! Log In Create A New Profile

Re: How to enable OCSP stapling when default server is self-signed?

Forum List Message List New Topic Print View

Maxim Dounin

May 08, 2015 08:48AM

Hello!

On Thu, May 07, 2015 at 02:28:12PM -0400, 173279834462 wrote:

[...]

> It turns out that the problem is "security.ssl.enable_ocsp_stapling", which
> is
> "true" by default. If I disable it, then FF loads the web sites. If I
> re-enable it,
> then FF complains again:
>
> > Secure Connection Failed
> > An error occurred during a connection to madreacqua.org.
> > Invalid OCSP signing certificate in OCSP response.
> > (Error code: sec_error_ocsp_invalid_signing_cert)
> >
> > The page you are trying to view cannot be shown because the authenticity
> > of the received data could not be verified.
> > Please contact the website owners to inform them of this problem.
>
> If FF is correct, then nginx is returning a bad certificate, and we are back
> to square one.

The "Invalid OCSP signing certificate in OCSP response" likely
means that an OCSP response returned by nginx is signed by an
invalid certificate, at least that's what written. Unless you've
forced nginx to return something invalid using the
ssl_stapling_file directive, it is probably due to a behaviour of
your CA. Ask your CA for more information.

Trivial workaround on nginx side is to switch off ssl_stapling.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
How to enable OCSP stapling when default server is self-signed?	bughunter	April 05, 2015 11:26PM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	April 06, 2015 03:22PM
Re: How to enable OCSP stapling when default server is self-signed?	bughunter	April 07, 2015 12:26AM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	April 07, 2015 09:24AM
Re: How to enable OCSP stapling when default server is self-signed?	bughunter	April 08, 2015 02:30AM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	April 08, 2015 11:30AM
Re: How to enable OCSP stapling when default server is self-signed?	bughunter	May 01, 2015 11:06PM
Re: How to enable OCSP stapling when default server is self-signed?	173279834462	May 07, 2015 11:54AM
Re: How to enable OCSP stapling when default server is self-signed?	bughunter	May 11, 2015 10:31AM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	May 07, 2015 01:12PM
Re: How to enable OCSP stapling when default server is self-signed?	173279834462	May 07, 2015 02:28PM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	May 08, 2015 08:48AM
Re: How to enable OCSP stapling when default server is self-signed?	numroo	April 12, 2015 12:21PM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	April 13, 2015 07:58AM
Re: How to enable OCSP stapling when default server is self-signed?	hotwirez	September 28, 2016 12:44PM
Re: How to enable OCSP stapling when default server is self-signed?	Maxim Dounin	September 28, 2016 05:16PM
Re: How to enable OCSP stapling when default server is self-signed?	hotwirez	September 29, 2016 09:17AM
Re: How to enable OCSP stapling when default server is self-signed?	B.R.	September 29, 2016 01:02PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 255

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018