Welcome! Log In Create A New Profile

Advanced

OCSP stapling: automatic updates

September 07, 2015 10:17AM
Hello,

nginx is not updating the ocsp response cache:

This Update: Sep 5 08:36:32 2015 GMT
Next Update: Sep 7 08:36:32 2015 GMT

It is 16:09, so the cache is 8h behind.

How would you diagnose and solve this problem?

A related question is the duration of the cache.
The local server uses 2 days, as shown above.
How would you change this duration to, say, 8 days?

This is an example of an 8 days cache:

>echo QUIT | openssl s_client -CAfile /etc/ssl/ca-bundle.pem -connect ssllabs.com:443 -servername ssllabs.com -tlsextdebug -status 2>&1 | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'


OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K, CN = OCSP1
Produced At: Sep 7 02:16:10 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: CC6D221CF6B4552C2F87915F5AFEF0E1EECE83CC
Issuer Key Hash: 82A27074DDBC533FCF7BD4F7CD7FA760C60A4CBF
Serial Number: 50D359F0
Cert Status: good
This Update: Sep 6 06:29:30 2015 GMT
Next Update: Sep 14 02:16:10 2015 GMT <--------------------- 8 days


Thank you,
Subject Author Posted

OCSP stapling: automatic updates

173279834462 September 07, 2015 10:17AM

Re: OCSP stapling: automatic updates

Maxim Dounin September 07, 2015 01:30PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 314
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready