There is a newer OCSP response but was not provided by the server

173279834462 nginx-forum at nginx.us
Wed Sep 23 17:33:53 UTC 2015


> Simpliest solution would be to switch off OCSP response verification.

I have just tried it. It takes two hits from a client to fill the cache of
its worker process. 

There are two problems with this:

- the other worker processes are not primed on restart, and therefore
clients that 
  require ocsp stapling wil print an error instead of rendering the page (my
FF does it). 

- the stapling is not verified...

> Alternatively, provide appropriate certificates via the
> ssl_trusted_certificate directive, see
> http://nginx.org/r/ssl_stapling_verify for details.

Yes, done that as well. The ssl_trusted_certificate includes the
intermediate and the server's own. 

However, ...

>> For verification to work, the certificate of the server certificate
issuer, the root certificate, 
>> and all intermediate certificates should be configured as trusted using
the ssl_trusted_certificate directive. 

So, nginx wants the root certificate too, which is non-sense. Can't nginx
get the root certificate by itself?

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261716,261784#msg-261784



More information about the nginx mailing list