Hello!

On Tue, Jan 01, 2019 at 06:24:04PM +0100, ѽ҉ḳ℠ wrote:

> Am 01.01.19 um 17:10 schrieb ѽ҉ᶬḳ℠:
>
> Hi,
>
> would appreciate to get this (weird) error sorted/resolved. Having looked up pu
> blic sources I could not find a remedy and thus placing my hope on this list.
>
> ssl_stapling_file foo.bar.der;
> ssl_stapling on;
>
> nginx -t then produces:
>
> [emerg] 24249#24249: d2i_OCSP_RESPONSE_bio("/srv/ca/certs/ocsp_to_lan_3.cert.der
> ") failed (SSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
> error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error er
> ror:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:Fi
> eld=responseStatus, Type=OCSP_RESPONSE)

[...]

> I generate the file the way I would trust is common standard/practice
> (?)
> 1. openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-384 -out
> foo.bar.key.pem -aes-256-cbc
> 2. openssl req -config foo.bar.cnf -key foo.bar.key.pem -new -out
> foo.bar.csr.pem
> 3. openssl ca -config foobar.ca.cnf -extensions v3_foo-bar -days 365
> -notext -in foo.bar.csr.pem -out foo.bar.cert.pem
> 4. openssl x509 -outform DER -in foo.bar.cert.pem -out
> foo.bar.cert.der
>
> It generates a valid cert and openssl has no encoding issues. What is
> difference and why this should not work? And why has the other command
> to be done again after some days?

The "ssl_stapling_file" directive needs an OCSP response obtained
from your certificate authority, not a certificate. As you are
trying to put a certificate instead, parsing expectedly fails.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx