Large CRL file crashing nginx on reload
Maxim Dounin
mdounin at mdounin.ru
Fri Jul 27 15:19:18 UTC 2018
Hello!
On Fri, Jul 27, 2018 at 10:56:38AM -0400, Shaun Tarves wrote:
> Here are the relevant parts of our configuration:
>
> worker_processes 1;
> pid /var/run/nginx.pid;
> events {
> worker_connections 512;
> }
> http {
> server {
> listen xx.xx.xx.xx:443 default_server ssl;
> ssl on;
> ssl_certificate /opt/xxx.pem;
> ssl_certificate_key /opt/xxx.key
> ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> ssl_session_cache shared:SSL:10m;
> ssl_prefer_server_ciphers on;
> ssl_verify_client optional;
> ssl_client_certificate /opt/ca.crt.pem
> ssl_crl /opt/ca.crl/.pem;
> }
> }
Configuration looks fine - there is only one server{} block where
the "ssl_crl" directive is used, so there should be only one copy
of CRL loaded per configuration.
Accordingly, it looks like you've simply run out of memory. Check
the amount of memory as available on your server (and/or memory
limits, if any) and the amount of memory as used by nginx with the
CRL loaded. Note that for the configuration reload to work you
will need extra memory to load an additional copy of the
configuration and to start new worker processes. See
http://nginx.org/en/docs/control.html#reconfiguration for details
on who configuration reload works.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list