OCSP stapling: automatic updates

173279834462 nginx-forum at nginx.us
Mon Sep 7 14:17:22 UTC 2015


nginx is not updating the ocsp response cache:

    This Update: Sep  5 08:36:32 2015 GMT
    Next Update: Sep  7 08:36:32 2015 GMT

It is 16:09, so the cache is 8h behind. 

How would you diagnose and solve this problem? 

A related question is the duration of the cache. 
The local server uses 2 days, as shown above. 
How would you change this duration to, say, 8 days?

This is an example of an 8 days cache:

>echo QUIT | openssl s_client -CAfile /etc/ssl/ca-bundle.pem -connect
ssllabs.com:443 -servername ssllabs.com -tlsextdebug -status 2>&1 | grep -A
17 'OCSP response:' | grep -B 17 'Next Update'

OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = "Entrust, Inc.", OU = See
www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized
use only", CN = Entrust Certification Authority - L1K, CN = OCSP1
    Produced At: Sep  7 02:16:10 2015 GMT
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: CC6D221CF6B4552C2F87915F5AFEF0E1EECE83CC
      Issuer Key Hash: 82A27074DDBC533FCF7BD4F7CD7FA760C60A4CBF
      Serial Number: 50D359F0
    Cert Status: good
    This Update: Sep  6 06:29:30 2015 GMT
    Next Update: Sep 14 02:16:10 2015 GMT <--------------------- 8 days

Thank you,

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261473,261473#msg-261473

More information about the nginx mailing list