How to enable OCSP stapling when default server is self-signed?

bughunter nginx-forum at
Mon Apr 6 03:26:19 UTC 2015

My web server is intentionally set up to only support virtual hosts and TLS
SNI.  I know that the latter eliminates some ancient web browsers but I
don't care about those browsers.

I want to enable OCSP stapling and it seems to be configured correctly in my
test vhost (everything else about SSL already works fine - I get an A on the
Qualys SSL Labs test) and there are no errors or warnings but "openssl
s_client" always returns:

"OCSP response: no response sent"

Yes, I ran the s_client command multiple times to account for the nginx
responder delay.  I was testing OCSP stapling on just one of my domains. 
Then I read that the 'default_server' SSL server also has to have OCSP
stapling enabled for vhost OCSP stapling to work:

This is a huge problem if I want to enable OCSP for my vhosts because my
'default_server' certificate is self-signed (intentional) and running
'configtest' with 'ssl_stapling' options on the default server, of course,
results in a warning:

"nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"

Which indicates that it isn't enabled on the default server and subsequent
s_client tests (after reloading the config, which, of course, issued the
same warning a second time) on the test vhost confirm that there was still
no OCSP stapling.  It was a long-shot in the first place.

So how do I enable OCSP stapling for my vhosts when the default server cert
is self-signed?  This seems like a potential bug in the nginx SSL module.

Other useful info:  Running nginx 1.6.2 (Stable) built from source.  My
'resolver' line in my config points at a local BIND9 server that
'dig @localhost' confirms is working just fine - so it
isn't a DNS resolver issue as far as I can tell.  The error logs are quiet
other than the warning I got when I added the OCSP stapling options to

Posted at Nginx Forum:,257833,257833#msg-257833

More information about the nginx mailing list