There is a newer OCSP response but was not provided by the server
Maxim Dounin
mdounin at mdounin.ru
Wed Sep 23 16:16:26 UTC 2015
Hello!
On Wed, Sep 23, 2015 at 11:39:13AM -0400, 173279834462 wrote:
> From my seat, the CA works and NGINX is not returning the
> OCSP response. In fact, I can generate the stapling manually.
Most problems I've seen with OCSP stapling was about incorrect use
of ssl_stapling_verify (without appropriate set of trusted
certificates). Given symptomps you describe and the fact that
configuration snippet you've quoted contains "ssl_stapling_verify
on" (and doesn't contain ssl_trusted_certificate) - it's likely the
issue you are facing.
> Barred the various considerations of what is or is not possible,
> I think that a more robust solution is in order, for example,
> nginx could (should at this point?) log the stapling progress,
> so that sysadmin knows that the process is being executed,
> possibly with relevant warnings and error messages.
All OCSP stapling errors (including ones related to OCSP response
verification) are logged into nginx global error log. Detailed
progress can be seen at 'debug' level.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list