There is a newer OCSP response but was not provided by the server

Maxim Dounin mdounin at
Wed Sep 23 12:33:19 UTC 2015


On Tue, Sep 22, 2015 at 05:21:27PM -0400, 173279834462 wrote:

> The purpose of the ssl_stapling_file was to prime the cache. Without that
> file, openssl says "OCSP response: no response sent". For nginx to load the
> cache by itself, clients have to hit the same worker process a few times. I
> currently have 8 worker processes, which means that the server needs at
> least 8 simultaneous client who are knowledgeable and patient enough to hit
> the server a few times, purging the cache of their browser each time. This
> does not work seem to work all the times, however. I have a www to non-www
> redirection with stapling enabled on both. Hitting www does not fill the
> cache, and I keep seeing "OCSP response: no response sent". Am I missing
> something?

Yes.  Two basic points:

- The ssl_stapling_file directive completely replaces nginx OCSP 
  stapling logic, and it can't be used to only provide some 
  "initial" OCSP response;  it is to be used when you want to 
  implement your own OCSP distribution logic (e.g., on a server 
  without direct access to OCSP responder), and/or for debugging.

- OCSP responses are loaded once nginx sees connections with 
  Certificate Status Request TLS extension, i.e., a client asks 
  nginx to provide stapled OCSP response (and this happens 
  per-worker).  Though not providing an OCSP response isn't a 
  problem at all as OCSP stapling is just an optimization, and
  there is no need to care about pre-caching things.  As long as there 
  are clients who ask your server about an OCSP response - nginx 
  will load it and will provide it to clients as needed.

Maxim Dounin

More information about the nginx mailing list