How to enable OCSP on Nginx.please

I use to apply Letsencrypt SSL certificate.

Recently, we found that the CNAME domain of Letsencrypt’s OCSP domain( was DNS polluted in China, which caused the https website is very slowly on IOS devices .(Android is not affected yet)

So, I plained to enable OCSP stapling to resolve this issue . I’ve tried everything but still failed.

below is my tries:

First,I added two DNS record in internal DNS server:

plain A:

add below config in Server config of Nginx virtual host config file

server {
ssl_stapling on;
ssl_stapling_verify on;
resolver; # internal DNS server
listen 443 ssl http2; 
    ssl_certificate /data/letsencrypt/; 
    ssl_certificate_key /data/letsencrypt/; 
    include /data/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /data/letsencrypt/ssl-dhparams.pem; # managed by Certbot

after restart nginx docker container . I checked the OCSP ,but it wasn’t enabled

openssl s_client -connect -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
OCSP response: no response sent

plain B:

get OCSP response

  openssl ocsp -no_nonce \
                 -respout /root/ \
                 -issuer /root/ \
                 -cert /root/ \
                 -url \
                 -header "HOST" ""

But I got some errors:

Response Verify Failure
139961608943504:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
/root/ good
	This Update: Jun 28 06:00:00 2020 GMT
	Next Update: Jul  5 06:00:00 2020 GMT

nginx version : 1.17

Could any tell me how to enable OCSP or resolve this issue ? please

1 Like

Your nginx error log should show something if OCSP stapling is not working. Look there.

You might need to provide ssl_trusted_certificate if using ssl_stapling_verify. Varies by OS.

1 Like

forget to say ,I also try to enable SSL_trusted_certificate.

1.generate root and middle certificate

// 下载根证书和中间证书
wget -O root.pem
wget -O intermediate.pem
// 生成 OCSP Stapling 验证文件注意,中间证书在上、根证书在下
cat intermediate.pem > chained.pem
cat root.pem >> chained.pem

2.reconfig nginx

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/certs/chained.pem;

but still didn’t work

1 Like

And what does nginx’s error log say?

1 Like

Nothing … both nginx’s error log and virtual server’s error log have nothing in error log

1 Like

在申请证书时 加上 --ocsp 选项 --issue xxxxx .....    --ocsp
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.