How to enable OCSP stapling when default server is self-signed?

Maxim Dounin mdounin at
Mon Apr 13 11:57:39 UTC 2015


On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote:

> >> Yes, I ran the s_client command multiple times to account for the nginx
> >> responder delay. I was testing OCSP stapling on just one of my domains.
> >> Then I read that the 'default_server' SSL server also has to have OCSP
> >> stapling enabled for vhost OCSP stapling to work:
> >>
> >>
> >
> >There is no such a requirement.
> I have the same problem here.
> openssl s_client -servername ${WEBSITE} -connect ${WEBSITE}:443 -tls1
> -tlsextdebug -status|grep OCSP
> Always returns the following on all virtual hosts no matter on how many
> times I try:
> OCSP response: no response sent
> But as soon that I disable my self-signed default host and restart Nginx, I
> get a successfull repsonse on the second request on all CA signed hosts:
> OCSP Response Status: successful (0x0)

As previously suggested, tests with trivial config and debugging 
log may help to find out what goes wrong.

Maxim Dounin

More information about the nginx mailing list