Welcome! Log In Create A New Profile

Advanced

Re: Restarting service takes too much time

Previous Message Next Message
Forum List Message List New Topic Print View
A. Schulze via nginx
December 04, 2022 07:32AM
Am 04.12.22 um 08:04 schrieb blason:
> Yes - He is right; everything is revolves around DNS and even my error is
> with DNS resolving as it was not able to resolve the ocsp.godaddy.com hence
> please troubelshoot from DNS perspetive.

Hello List,

To avoid this problems I prefer https://nginx.org/r/ssl_stapling_file

Some years ago I run a nginx instance handling thousand of vhosts.
The - in practice not notable - reload time was amazing!

attached a simplified 'update_ssl_stapling_file'

It should be run once a day.
The operator should monitor, every 'sll_stapling_file.der' isn't older then 3-4 days

Andreas#!/bin/sh

set -u

# used files:
#
# cert.pem
# - contain only the server certificate itself
#
# intermediate.pem
# - contain one or more intermediate certificates excluding the root itself
# - may be empty
# - this script assume exactly one intermediate
#
# root.pem
# - the root, unused in this example
#
# cert+intermediate.pem
# - created by 'cat cert.pem intermediate.pem > ssl_certificate.pem'
# - used as https://nginx.org/r/ssl_certificate
#
# key.pem
# - used as https://nginx.org/r/ssl_certificate_key
#
# ssl_stapling_file.der
# - created by this script
# - used as https://nginx.org/r/ssl_stapling_file

_ocsp_uri="$( openssl x509 -in cert.pem -noout -ocsp_uri )"

failed() {
echo >&2 "$0 failed: $1"
rm -f ssl_stapling_file.tmp
exit 1
}

if ! _r="$( openssl ocsp \
-no_nonce \
-respout ssl_stapling_file.tmp \
-CAfile intermediate.pem \
-issuer intermediate.pem \
-cert cert.pem \
-url "${_ocsp_uri}" \
2>&1 )"; then
failed "${_r}"
fi

if ! echo "${_r}" | grep --text --silent -e 'Response verify OK' \
-e 'cert.pem: good2' >/dev/null; then
failed "${_r}"
fi

mv ssl_stapling_file.tmp ssl_stapling_file.der
echo 'ssl_stapling_file.der updated, "nginx -s reload" is recommended'
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-leave@nginx.org
Reply Quote
RSS
Subject Author Posted

Restarting service takes too much time

Gus Flowers Starkiller November 30, 2022 10:42PM

Re: Restarting service takes too much time

blason December 01, 2022 12:55AM

Re: Restarting service takes too much time

Maxim Dounin December 01, 2022 01:04PM

Re: Restarting service takes too much time

blason December 04, 2022 02:04AM

Re: Restarting service takes too much time

blason December 04, 2022 02:04AM

Re: Restarting service takes too much time

A. Schulze via nginx December 04, 2022 07:32AM

Re: Restarting service takes too much time

Charlie Kilo December 05, 2022 03:46PM

Re: Restarting service takes too much time

Maxim Dounin December 05, 2022 07:36PM

Re: Restarting service takes too much time

Charlie Kilo December 10, 2022 03:54AM

Re: Restarting service takes too much time

Maxim Dounin December 11, 2022 06:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 296
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready