OCSP stapling: automatic updates
Maxim Dounin
mdounin at mdounin.ru
Mon Sep 7 17:28:20 UTC 2015
Hello!
On Mon, Sep 07, 2015 at 10:17:22AM -0400, 173279834462 wrote:
> Hello,
>
> nginx is not updating the ocsp response cache:
>
> This Update: Sep 5 08:36:32 2015 GMT
> Next Update: Sep 7 08:36:32 2015 GMT
>
> It is 16:09, so the cache is 8h behind.
>
> How would you diagnose and solve this problem?
OCSP responses are re-requested by nginx after 1 hour, older
responses may be returned only if there are no requests for OCSP
stapling for a long time. If you consistently see an expired
response - this likely means that it's what OCSP responder of your
CA returns.
Also, as of nginx 1.9.2, there are checks to avoid returning
expired OCSP responses as this confuses some browsers. You may
want to upgrade if you see expired responses returned.
> A related question is the duration of the cache.
> The local server uses 2 days, as shown above.
> How would you change this duration to, say, 8 days?
"This Update" and "Next Update" aren't something nginx controls,
they are returned by OCSP responder of your CA.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list