what happy when nginx cannot request certificate status using ssl_stapling_verify

J.R. themadbeaker at gmail.com
Tue Jan 14 13:43:42 UTC 2020


> I enable "ssl_stapling" and "ssl_stapling_verify", it can work fine. But
> sometime, I can find a few error messages in error.log, ".....Operation
> timed out) while requesting certificate status....", it seem the OCSP server
> of my SSL provider  cannot be connected at that time.
>
> I want to know, what happy when nginx cannot request certificate status? the
> user can visit website correctly? thank you so much.

1. The OCSP certificate is valid for much longer than the intervals
your server renews it at, so even if you can't connect for a while it
should still be valid.
2. The client will contact the certificate's OCSP server directly if
you don't send the OCSP cert (or it's expired) for verification.
3. The above #2 statement assumes your SSL Cert was NOT generated with
"Must Staple". If it is, then you would definitely need a valid ocsp
cert copy to send to clients, otherwise they will get an error.

I see several failed attempts in my error log every day, it happens...
Unless you have dozens & dozens of them from the same IP, then I
wouldn't worry about it.


More information about the nginx mailing list