How to enable OCSP stapling when default server is self-signed?

Maxim Dounin mdounin at mdounin.ru
Fri May 8 12:46:38 UTC 2015


Hello!

On Thu, May 07, 2015 at 02:28:12PM -0400, 173279834462 wrote:

[...]

> It turns out that the problem is "security.ssl.enable_ocsp_stapling", which
> is
> "true" by default. If I disable it, then FF loads the web sites. If I
> re-enable it, 
> then FF complains again: 
> 
> > Secure Connection Failed
> > An error occurred during a connection to madreacqua.org. 
> > Invalid OCSP signing certificate in OCSP response. 
> > (Error code: sec_error_ocsp_invalid_signing_cert)
> >
> > The page you are trying to view cannot be shown because the authenticity 
> > of the received data could not be verified.
> > Please contact the website owners to inform them of this problem.
> 
> If FF is correct, then nginx is returning a bad certificate, and we are back
> to square one. 

The "Invalid OCSP signing certificate in OCSP response" likely 
means that an OCSP response returned by nginx is signed by an 
invalid certificate, at least that's what written.  Unless you've 
forced nginx to return something invalid using the 
ssl_stapling_file directive, it is probably due to a behaviour of 
your CA.  Ask your CA for more information.

Trivial workaround on nginx side is to switch off ssl_stapling.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list