Welcome! Log In Create A New Profile

Advanced

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin
September 23, 2015 12:18PM
Hello!

On Wed, Sep 23, 2015 at 11:39:13AM -0400, 173279834462 wrote:

> From my seat, the CA works and NGINX is not returning the
> OCSP response. In fact, I can generate the stapling manually.

Most problems I've seen with OCSP stapling was about incorrect use
of ssl_stapling_verify (without appropriate set of trusted
certificates). Given symptomps you describe and the fact that
configuration snippet you've quoted contains "ssl_stapling_verify
on" (and doesn't contain ssl_trusted_certificate) - it's likely the
issue you are facing.

> Barred the various considerations of what is or is not possible,
> I think that a more robust solution is in order, for example,
> nginx could (should at this point?) log the stapling progress,
> so that sysadmin knows that the process is being executed,
> possibly with relevant warnings and error messages.

All OCSP stapling errors (including ones related to OCSP response
verification) are logged into nginx global error log. Detailed
progress can be seen at 'debug' level.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

There is a newer OCSP response but was not provided by the server

173279834462 September 22, 2015 05:33AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 22, 2015 09:02AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 22, 2015 05:21PM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 08:34AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 09:42AM

Re: There is a newer OCSP response but was not provided by the server

itpp2012 September 23, 2015 11:29AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 10:50AM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 11:39AM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 12:18PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 12:53PM

Re: There is a newer OCSP response but was not provided by the server

Maxim Dounin September 23, 2015 01:22PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:33PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:35PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:39PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 01:41PM

Re: There is a newer OCSP response but was not provided by the server

173279834462 September 23, 2015 02:22PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 52
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready