There is a newer OCSP response but was not provided by the server
Maxim Dounin
mdounin at mdounin.ru
Tue Sep 22 13:01:16 UTC 2015
Hello!
On Tue, Sep 22, 2015 at 05:33:57AM -0400, 173279834462 wrote:
> Hello,
>
> nginx is not updating the OCSP response cache.
>
> openssl says:
> [...]
> Cert Status: good
> This Update: Sep 9 09:59:46 2015 GMT
> Next Update: Sep 11 09:59:46 2015 GMT
>
> gnutls says "There is a newer OCSP response but was not provided by the
> server".
>
> The configuration says:
>
> [...]
> ssl_stapling on;
> ssl_stapling_verify on;
> ssl_stapling_file [...]/ssl/ocsp-response.der;
> [...]
>
>
> How do you enforce automatic update of the OCSP response cache?
You are using ssl_stapling_file, that is, nginx will always return
content of the file specified and it's you who have to update the
file. Quoting docs (http://nginx.org/r/ssl_stapling_file):
: When set, the stapled OCSP response will be taken from the
: specified file instead of querying the OCSP responder specified in
: the server certificate.
If you want nginx to fetch OCSP responses for you instead, comment
out this directive.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list