OCSP checks fail only on 1st site hit; OK afterwards ?

PGNet Dev pgnet.dev at gmail.com
Wed Nov 9 22:00:25 UTC 2022

This 2012 post

	Priming the OCSP cache in Nginx


	in Nginx 1.3.7, unfortunately architectural restrictions made it impractical to make it so that pre-fetching the OCSP response on server start-up so instead the first connection to the server primes the cache that is used for later connections.

	This is a fine compromise but what if you really want the first connection to have the benefit too? Well there are two approaches you can take:

where OCSP pre-fetching is a challenge that Cloudflare similarly took up in 2017 outside of its then-Nginx usage,

	High-reliability OCSP stapling and why it matters

Adding to

	edit /etc/systemd/system/nginx.service

+		ExecStartPost=/bin/bash /etc/nginx/scripts/ocsp_prefetch.sh


	cat /etc/nginx/scripts/ocsp_prefetch.sh

iterates over served domains,

	echo QUIT | openssl s_client -connect ${_thisDom}:443 -servername ${_thisDom} -tls1_3  -tlsextdebug -status 2> /dev/null

Does the trick.  After cold reboot, 1st hits to site(s) no longer fail to respond in-browser, or fail to provide OCSP response to openssl s_client query.

IS there an nginx prefetch mechanism available natively in current version ?

I found this 7 yr old enhancement request,

	Fetch OCSP responses on startup, and store across restarts

which afaict wasn't resolved.

More information about the nginx mailing list