Restarting service takes too much time
A. Schulze
sca at andreasschulze.de
Sun Dec 4 12:29:16 UTC 2022
Am 04.12.22 um 08:04 schrieb blason:
> Yes - He is right; everything is revolves around DNS and even my error is
> with DNS resolving as it was not able to resolve the ocsp.godaddy.com hence
> please troubelshoot from DNS perspetive.
Hello List,
To avoid this problems I prefer https://nginx.org/r/ssl_stapling_file
Some years ago I run a nginx instance handling thousand of vhosts.
The - in practice not notable - reload time was amazing!
attached a simplified 'update_ssl_stapling_file'
It should be run once a day.
The operator should monitor, every 'sll_stapling_file.der' isn't older then 3-4 days
Andreas
-------------- next part --------------
#!/bin/sh
set -u
# used files:
#
# cert.pem
# - contain only the server certificate itself
#
# intermediate.pem
# - contain one or more intermediate certificates excluding the root itself
# - may be empty
# - this script assume exactly one intermediate
#
# root.pem
# - the root, unused in this example
#
# cert+intermediate.pem
# - created by 'cat cert.pem intermediate.pem > ssl_certificate.pem'
# - used as https://nginx.org/r/ssl_certificate
#
# key.pem
# - used as https://nginx.org/r/ssl_certificate_key
#
# ssl_stapling_file.der
# - created by this script
# - used as https://nginx.org/r/ssl_stapling_file
_ocsp_uri="$( openssl x509 -in cert.pem -noout -ocsp_uri )"
failed() {
echo >&2 "$0 failed: $1"
rm -f ssl_stapling_file.tmp
exit 1
}
if ! _r="$( openssl ocsp \
-no_nonce \
-respout ssl_stapling_file.tmp \
-CAfile intermediate.pem \
-issuer intermediate.pem \
-cert cert.pem \
-url "${_ocsp_uri}" \
2>&1 )"; then
failed "${_r}"
fi
if ! echo "${_r}" | grep --text --silent -e 'Response verify OK' \
-e 'cert.pem: good2' >/dev/null; then
failed "${_r}"
fi
mv ssl_stapling_file.tmp ssl_stapling_file.der
echo 'ssl_stapling_file.der updated, "nginx -s reload" is recommended'
More information about the nginx
mailing list