Large CRL file crashing nginx on reload

Maxim Dounin mdounin at
Fri Jul 27 15:19:18 UTC 2018


On Fri, Jul 27, 2018 at 10:56:38AM -0400, Shaun Tarves wrote:

> Here are the relevant parts of our configuration:
> worker_processes  1;
> pid        /var/run/;
> events {
>     worker_connections  512;
> }
> http {
>   server {
>     listen xx.xx.xx.xx:443 default_server ssl;
>     ssl on;
>     ssl_certificate /opt/xxx.pem;
>     ssl_certificate_key /opt/xxx.key
>     ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
>     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
>     ssl_session_cache shared:SSL:10m;
>     ssl_prefer_server_ciphers on;
>     ssl_verify_client optional;
>     ssl_client_certificate /opt/ca.crt.pem
>     ssl_crl /opt/ca.crl/.pem;
>   }
> }

Configuration looks fine - there is only one server{} block where 
the "ssl_crl" directive is used, so there should be only one copy 
of CRL loaded per configuration.

Accordingly, it looks like you've simply run out of memory.  Check 
the amount of memory as available on your server (and/or memory 
limits, if any) and the amount of memory as used by nginx with the 
CRL loaded.  Note that for the configuration reload to work you 
will need extra memory to load an additional copy of the 
configuration and to start new worker processes. See for details 
on who configuration reload works.

Maxim Dounin

More information about the nginx mailing list