How to enable OCSP stapling when default server is self-signed?
bughunter
nginx-forum at nginx.us
Tue Apr 7 04:26:23 UTC 2015
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Sun, Apr 05, 2015 at 11:26:19PM -0400, bughunter wrote:
>
> > My web server is intentionally set up to only support virtual hosts
> and TLS
> > SNI. I know that the latter eliminates some ancient web browsers
> but I
> > don't care about those browsers.
> >
> > I want to enable OCSP stapling and it seems to be configured
> correctly in my
> > test vhost (everything else about SSL already works fine - I get an
> A on the
> > Qualys SSL Labs test) and there are no errors or warnings but
> "openssl
> > s_client" always returns:
> >
> > "OCSP response: no response sent"
> >
> > Yes, I ran the s_client command multiple times to account for the
> nginx
> > responder delay. I was testing OCSP stapling on just one of my
> domains.
> > Then I read that the 'default_server' SSL server also has to have
> OCSP
> > stapling enabled for vhost OCSP stapling to work:
> >
> > https://gist.github.com/konklone/6532544
>
> There is no such a requirement.
>
> > This is a huge problem if I want to enable OCSP for my vhosts
> because my
> > 'default_server' certificate is self-signed (intentional) and
> running
> > 'configtest' with 'ssl_stapling' options on the default server, of
> course,
> > results in a warning:
> >
> > "nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"
> >
> > Which indicates that it isn't enabled on the default server and
> subsequent
> > s_client tests (after reloading the config, which, of course, issued
> the
> > same warning a second time) on the test vhost confirm that there was
> still
> > no OCSP stapling. It was a long-shot in the first place.
>
> This warning indicates that you've tried to enable OCSP Stapling
> for a server with a certificate whose issuer certificate cannot be
> found, therefore the "ssl_stapling" directive was ignored for the
> server. To avoid seeing the warning on each start, consider
> switching off ssl_stapling for the server{} block in question.
As I explained, I enabled it as a long-shot. I was expecting to get a
warning and I did. I have, of course, disabled it for the default server
section.
> > So how do I enable OCSP stapling for my vhosts when the default
> server cert
> > is self-signed? This seems like a potential bug in the nginx SSL
> module.
>
> Just enable ssl_stapling in appropriate server{} blocks.
As far as I can tell, I'm already doing that:
http://pastebin.com/Ymb5hxDP
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,257850#msg-257850
More information about the nginx
mailing list