stable | mainline - encoding error ssl_stapling_file

[A. Schulze]

Am 01.01.19 um 17:10 schrieb ѽ҉ᶬḳ℠:
> Hi,
> 
> would appreciate to get this (weird)  error sorted/resolved. Having looked up public sources I could not find a remedy and thus placing my hope on this list.
> 
> ssl_stapling_file foo.bar.der;
> ssl_stapling  on;
> 
> nginx -t then produces:
> 
> [emerg] 24249#24249: d2i_OCSP_RESPONSE_bio("/srv/ca/certs/ocsp_to_lan_3.cert.der") failed (SSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:Field=responseStatus, Type=OCSP_RESPONSE)
> 
> WIth:
> 
>  # ssl_stapling  on;
> 
> there is no such error?!
> 
> openssl x509 -noout -text -inform der -in foo.bar.der prints the certificate just fine. Having switched between utf8 and ascii did not make a difference either, same outcome.
> 
> openssl asn1parse -inform DER -in foo.bar.der is also printing the values just fine.

Hello & happy new year!

you did not mention, how you generate "foo.bar.der".


nginx stapling support may work in two operational modes:

1. only "ssl_stapling on" and no "ssl_stapling_file" given.
-> upon the first request nginx will fetch OCSP sapling data from CA's OCSP-Server and send this information as part of the second any any following requests

2. "ssl_stapling on" and "ssl_stapling_file" given.
-> you have to manually provide OCSP data. nginx will server any request including these OCSP data.

The file you reference as "ssl_stapling_file" could be generated by this command:

$ openssl ocsp -no_nonce -respout "${OCSP_STAPLING_FILE}" -CAfile "${CA_CHAIN}" -issuer "${ISSUER}" -cert "${CERT}" -url "${OCSP_URI}"
$ kill -HUP $( cat /path/to/nginx.pid )

that has to be done again after some days.

Andreas