About nginx and OCSP Must-Staple

wordlesswind i at qingly.me
Thu Feb 24 18:06:06 UTC 2022

Hello guys,

I enabled OCSP Must-Staple, then I found that after restarting nginx, I 
visiting my website for the first time.

I think this error means that the server is not caching OCSP information.

My nginx.conf is as follows:

     server {
         listen   443 ssl http2 reuseport;
         listen   [::]:443 ssl http2;
         server_name  example.org;

         ssl_certificate      /path/to/ecc/fullchain.cer;
         ssl_certificate_key  /path/to/ecc/example.org.key;

         ssl_certificate      /path/to/rsa/fullchain.cer;
         ssl_certificate_key  /path/to/rsa/example.org.key;

         ssl_stapling         on;
         resolver             <internal dns1> <internal dns2> valid=300s;
         ssl_stapling_verify  on;

         ssl_session_cache    shared:SSL:10m;
         ssl_session_timeout  1d;

         ssl_protocols        TLSv1.2 TLSv1.3;
         ssl_ecdh_curve       secp384r1;

         ssl_early_data       on;



Since I have ECC and RSA dual certificates configured and they are 
intact. Therefore I did not configure "ssl_trusted_certificate".

Do I need to configure other parameters like "ssl_ocsp" to solve the 
problem I'm having now?

Also I found a small issue, I noticed that the latest version of Google 
Chrome/Microsoft Edge will choose to get RSA certificate instead of ECC 

   RSA 4096 R3

   ECC 384 E1

   Issuer Let's Encrypt

I wonder why Chromium made this choice. Thank you!

Best Regards,


More information about the nginx mailing list