There is a newer OCSP response but was not provided by the server
173279834462
nginx-forum at nginx.us
Wed Sep 23 17:33:53 UTC 2015
> Simpliest solution would be to switch off OCSP response verification.
I have just tried it. It takes two hits from a client to fill the cache of
its worker process.
There are two problems with this:
- the other worker processes are not primed on restart, and therefore
clients that
require ocsp stapling wil print an error instead of rendering the page (my
FF does it).
- the stapling is not verified...
> Alternatively, provide appropriate certificates via the
> ssl_trusted_certificate directive, see
> http://nginx.org/r/ssl_stapling_verify for details.
Yes, done that as well. The ssl_trusted_certificate includes the
intermediate and the server's own.
However, ...
>> For verification to work, the certificate of the server certificate
issuer, the root certificate,
>> and all intermediate certificates should be configured as trusted using
the ssl_trusted_certificate directive.
So, nginx wants the root certificate too, which is non-sense. Can't nginx
get the root certificate by itself?
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,261716,261784#msg-261784
More information about the nginx
mailing list