OCSP stapling: automatic updates
173279834462
nginx-forum at nginx.us
Mon Sep 7 14:17:22 UTC 2015
Hello,
nginx is not updating the ocsp response cache:
This Update: Sep 5 08:36:32 2015 GMT
Next Update: Sep 7 08:36:32 2015 GMT
It is 16:09, so the cache is 8h behind.
How would you diagnose and solve this problem?
A related question is the duration of the cache.
The local server uses 2 days, as shown above.
How would you change this duration to, say, 8 days?
This is an example of an 8 days cache:
>echo QUIT | openssl s_client -CAfile /etc/ssl/ca-bundle.pem -connect
ssllabs.com:443 -servername ssllabs.com -tlsextdebug -status 2>&1 | grep -A
17 'OCSP response:' | grep -B 17 'Next Update'
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = "Entrust, Inc.", OU = See
www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized
use only", CN = Entrust Certification Authority - L1K, CN = OCSP1
Produced At: Sep 7 02:16:10 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: CC6D221CF6B4552C2F87915F5AFEF0E1EECE83CC
Issuer Key Hash: 82A27074DDBC533FCF7BD4F7CD7FA760C60A4CBF
Serial Number: 50D359F0
Cert Status: good
This Update: Sep 6 06:29:30 2015 GMT
Next Update: Sep 14 02:16:10 2015 GMT <--------------------- 8 days
Thank you,
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261473,261473#msg-261473
More information about the nginx
mailing list