Welcome! Log In Create A New Profile

Advanced

Re: what happy when nginx cannot request certificate status using ssl_stapling_verify

J.R.
January 14, 2020 08:46AM
> I enable "ssl_stapling" and "ssl_stapling_verify", it can work fine. But
> sometime, I can find a few error messages in error.log, ".....Operation
> timed out) while requesting certificate status....", it seem the OCSP server
> of my SSL provider cannot be connected at that time.
>
> I want to know, what happy when nginx cannot request certificate status? the
> user can visit website correctly? thank you so much.

1. The OCSP certificate is valid for much longer than the intervals
your server renews it at, so even if you can't connect for a while it
should still be valid.
2. The client will contact the certificate's OCSP server directly if
you don't send the OCSP cert (or it's expired) for verification.
3. The above #2 statement assumes your SSL Cert was NOT generated with
"Must Staple". If it is, then you would definitely need a valid ocsp
cert copy to send to clients, otherwise they will get an error.

I see several failed attempts in my error log every day, it happens...
Unless you have dozens & dozens of them from the same IP, then I
wouldn't worry about it.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

what happy when nginx cannot request certificate status using ssl_stapling_verify

q1548 January 13, 2020 09:29PM

Re: what happy when nginx cannot request certificate status using ssl_stapling_verify

J.R. January 14, 2020 08:46AM

Re: what happy when nginx cannot request certificate status using ssl_stapling_verify

q1548 January 14, 2020 08:41PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 250
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready