OCSP stapling: automatic updates

Maxim Dounin mdounin at mdounin.ru
Mon Sep 7 17:28:20 UTC 2015


On Mon, Sep 07, 2015 at 10:17:22AM -0400, 173279834462 wrote:

> Hello, 
> nginx is not updating the ocsp response cache:
>     This Update: Sep  5 08:36:32 2015 GMT
>     Next Update: Sep  7 08:36:32 2015 GMT
> It is 16:09, so the cache is 8h behind. 
> How would you diagnose and solve this problem? 

OCSP responses are re-requested by nginx after 1 hour, older 
responses may be returned only if there are no requests for OCSP 
stapling for a long time.  If you consistently see an expired 
response - this likely means that it's what OCSP responder of your 
CA returns.

Also, as of nginx 1.9.2, there are checks to avoid returning 
expired OCSP responses as this confuses some browsers.  You may 
want to upgrade if you see expired responses returned.

> A related question is the duration of the cache. 
> The local server uses 2 days, as shown above. 
> How would you change this duration to, say, 8 days?

"This Update" and "Next Update" aren't something nginx controls, 
they are returned by OCSP responder of your CA.

Maxim Dounin

More information about the nginx mailing list