How to enable OCSP stapling when default server is self-signed?
Maxim Dounin
mdounin at mdounin.ru
Mon Apr 13 11:57:39 UTC 2015
Hello!
On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote:
> >> Yes, I ran the s_client command multiple times to account for the nginx
> >> responder delay. I was testing OCSP stapling on just one of my domains.
> >> Then I read that the 'default_server' SSL server also has to have OCSP
> >> stapling enabled for vhost OCSP stapling to work:
> >>
> >> https://gist.github.com/konklone/6532544
> >
> >There is no such a requirement.
>
> I have the same problem here.
>
> openssl s_client -servername ${WEBSITE} -connect ${WEBSITE}:443 -tls1
> -tlsextdebug -status|grep OCSP
>
> Always returns the following on all virtual hosts no matter on how many
> times I try:
> OCSP response: no response sent
>
> But as soon that I disable my self-signed default host and restart Nginx, I
> get a successfull repsonse on the second request on all CA signed hosts:
> OCSP Response Status: successful (0x0)
As previously suggested, tests with trivial config and debugging
log may help to find out what goes wrong.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list