"ssl_stapling" ignored warning on boot with LE certs?
PGNet Dev
pgnet.dev at gmail.com
Wed Feb 15 17:25:09 UTC 2023
i run
nginx -v
nginx version: nginx/1.23.3 (Local Build)
nginx is launched on boot with a systemd service
my site's ssl enabled, using letsencrypt certs
in my boot logs, i see
Feb 15 11:54:03 svr017 nginx[912]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org/" in the certificate "/sec/svr017/fullchain.ec.crt.pem"
nginx site config includes
ssl_trusted_certificate "/sec/svr017/intermediate_ca.ec.crt.pem";
ssl_certificate "/sec/svr017/fullchain.ec.crt.pem";
ssl_certificate_key "/sec/svr017/priv.ec.key";
ssl_stapling on;
ssl_stapling_verify on;
ssl_ocsp on;
ssl_ocsp_cache shared:OCSP:10m;
ssl_stapling_responder http://r3.o.lencr.org/;
ssl_ocsp_responder http://r3.o.lencr.org/;
checking the cert
openssl x509 -noout -text -in /sec/svr017/fullchain.ec.crt.pem | grep -i ocsp -A2 -B1
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
from the host
dig A r3.o.lencr.org +short
o.lencr.edgesuite.net.
a1887.dscq.akamai.net.
23.215.130.112
23.215.130.106
23.215.130.113
23.215.130.88
telnet -4 r3.o.lencr.org 80
Trying 23.63.77.32...
Connected to r3.o.lencr.org.
Escape character is '^]'.
curl -Ii http://r3.o.lencr.org/
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=5863
Expires: Wed, 15 Feb 2023 18:52:39 GMT
Date: Wed, 15 Feb 2023 17:14:56 GMT
Connection: keep-alive
is this warning due to a nginx misconfig? or a cert issue?
More information about the nginx
mailing list