There is a newer OCSP response but was not provided by the server

Maxim Dounin mdounin at
Wed Sep 23 16:16:26 UTC 2015


On Wed, Sep 23, 2015 at 11:39:13AM -0400, 173279834462 wrote:

> From my seat, the CA works and NGINX is not returning the
> OCSP response. In fact, I can generate the stapling manually. 

Most problems I've seen with OCSP stapling was about incorrect use 
of ssl_stapling_verify (without appropriate set of trusted 
certificates).  Given symptomps you describe and the fact that 
configuration snippet you've quoted contains "ssl_stapling_verify 
on" (and doesn't contain ssl_trusted_certificate) - it's likely the 
issue you are facing.

> Barred the various considerations of what is or is not possible, 
> I think that a more robust solution is in order, for example, 
> nginx could (should at this point?) log the stapling progress, 
> so that sysadmin knows that the process is being executed, 
> possibly with relevant warnings and error messages.

All OCSP stapling errors (including ones related to OCSP response 
verification) are logged into nginx global error log.  Detailed 
progress can be seen at 'debug' level.

Maxim Dounin

More information about the nginx mailing list