Restarting service takes too much time

A. Schulze sca at andreasschulze.de
Sun Dec 4 12:29:16 UTC 2022



Am 04.12.22 um 08:04 schrieb blason:
> Yes - He is right; everything is revolves around DNS and even my error is
> with DNS resolving as it was not able to resolve the ocsp.godaddy.com hence
> please troubelshoot from DNS perspetive.

Hello List,

To avoid this problems I prefer https://nginx.org/r/ssl_stapling_file

Some years ago I run a nginx instance handling thousand of vhosts.
The - in practice not notable - reload time was amazing!

attached a simplified 'update_ssl_stapling_file'

It should be run once a day.
The operator should monitor, every 'sll_stapling_file.der' isn't older then 3-4 days

Andreas
-------------- next part --------------
#!/bin/sh

set -u

# used files:
#
# cert.pem
# - contain only the server certificate itself
#
# intermediate.pem
# - contain one or more intermediate certificates excluding the root itself
# - may be empty
# - this script assume exactly one intermediate
#
# root.pem
# - the root, unused in this example
#
# cert+intermediate.pem
# - created by 'cat cert.pem intermediate.pem > ssl_certificate.pem'
# - used as https://nginx.org/r/ssl_certificate
#
# key.pem
# - used as https://nginx.org/r/ssl_certificate_key
#
# ssl_stapling_file.der
# - created by this script
# - used as https://nginx.org/r/ssl_stapling_file

_ocsp_uri="$( openssl x509 -in cert.pem -noout -ocsp_uri )"

failed() {
  echo >&2 "$0 failed: $1"
  rm -f ssl_stapling_file.tmp
  exit 1
}
  
if ! _r="$( openssl ocsp                     \
              -no_nonce                      \
              -respout ssl_stapling_file.tmp \
              -CAfile  intermediate.pem      \
              -issuer  intermediate.pem      \
              -cert    cert.pem              \
              -url     "${_ocsp_uri}"        \
            2>&1 )"; then
  failed "${_r}"
fi

if ! echo "${_r}" | grep --text --silent -e 'Response verify OK' \
                                         -e 'cert.pem: good2' >/dev/null; then
  failed "${_r}"
fi

mv ssl_stapling_file.tmp ssl_stapling_file.der
echo 'ssl_stapling_file.der updated, "nginx -s reload" is recommended'


More information about the nginx mailing list