How to enable OCSP stapling when default server is self-signed?

Maxim Dounin mdounin at
Wed Sep 28 21:14:22 UTC 2016


On Wed, Sep 28, 2016 at 12:44:45PM -0400, hotwirez wrote:


> I wanted to mention that I've run into this issue as well when trying to
> enable OCSP stapling, where I have a default_deny SSL server that has a
> self-signed certificate where I don't want to use OCSP stapling, and other
> actual server entries for actual sites where I want OCSP stapling enabled. 
> If I enable stapling for only the real sites, it appears to be silently
> disabled.  If I enable it for all server instances, it notices that the
> default server uses a self-signed certificate and disables stapling.  If I
> remove the default server, OCSP stapling works for the remaining sites, but
> then accessing the site using a means other than the correct server name
> provides the SSL certificate for one of the servers.

Problems with OCSP stapling if it is disabled in the default 
server{} block were traced to be an OpenSSL bug, silently fixed in 
1.0.0m/1.0.1g/1.0.2.  See here for details:

If you see the problem it means you have to update the OpenSSL 
library you are using.

Maxim Dounin

More information about the nginx mailing list