How to enable OCSP stapling when default server is self-signed?

bughunter nginx-forum at nginx.us
Tue Apr 7 04:26:23 UTC 2015


Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote:
> 
> > My web server is intentionally set up to only support virtual hosts
> and TLS
> > SNI.  I know that the latter eliminates some ancient web browsers
> but I
> > don't care about those browsers.
> > 
> > I want to enable OCSP stapling and it seems to be configured
> correctly in my
> > test vhost (everything else about SSL already works fine - I get an
> A on the
> > Qualys SSL Labs test) and there are no errors or warnings but
> "openssl
> > s_client" always returns:
> > 
> > "OCSP response: no response sent"
> > 
> > Yes, I ran the s_client command multiple times to account for the
> nginx
> > responder delay.  I was testing OCSP stapling on just one of my
> domains. 
> > Then I read that the 'default_server' SSL server also has to have
> OCSP
> > stapling enabled for vhost OCSP stapling to work:
> > 
> > https://gist.github.com/konklone/6532544
> 
> There is no such a requirement.
> 
> > This is a huge problem if I want to enable OCSP for my vhosts
> because my
> > 'default_server' certificate is self-signed (intentional) and
> running
> > 'configtest' with 'ssl_stapling' options on the default server, of
> course,
> > results in a warning:
> > 
> > "nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"
> > 
> > Which indicates that it isn't enabled on the default server and
> subsequent
> > s_client tests (after reloading the config, which, of course, issued
> the
> > same warning a second time) on the test vhost confirm that there was
> still
> > no OCSP stapling.  It was a long-shot in the first place.
> 
> This warning indicates that you've tried to enable OCSP Stapling 
> for a server with a certificate whose issuer certificate cannot be 
> found, therefore the "ssl_stapling" directive was ignored for the 
> server.  To avoid seeing the warning on each start, consider 
> switching off ssl_stapling for the server{} block in question.

As I explained, I enabled it as a long-shot.  I was expecting to get a
warning and I did.  I have, of course, disabled it for the default server
section.


> > So how do I enable OCSP stapling for my vhosts when the default
> server cert
> > is self-signed?  This seems like a potential bug in the nginx SSL
> module.
> 
> Just enable ssl_stapling in appropriate server{} blocks.

As far as I can tell, I'm already doing that:

http://pastebin.com/Ymb5hxDP

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,257850#msg-257850



More information about the nginx mailing list