Hi guys, I’m trying to get OCSP Stapling enabled. Read tons of guides, but can’t achieve the required result through: openssl s_client -connect luckstock.com:443 -tls1 -tlsextdebug -status Do I have my domain to be whitelisted with LetsEncrypt for stapling to work? Is my config for NGINX cor…

I mean, I can’t get the desired result from command line with openssl: $ openssl s_client -connect luckstock.com:443 -tls1 -tlsextdebug -status It always return “no response …” while the test ssllabs and digicert returns OCSP stapling: Yes. Not sure if it’s working correctly, but I had to add to …

ssl_trusted_certificate /path/to/letsencrypt/ca-certificate.pem you only have to add this directive for ocsp to work

As far, as I read the community forums, there is no need to add this line as fullchain.pem already includes ca-certificate.pem part. Thanks for the response anyway!

[image] ShotaMegre: As far, as I read the community forums, there is no need to add this line as fullchain.pem already includes ca-certificate.pem part. You need fullchain.pem for trust chain of the browser, while ssl_trusted_certificate is mandatory for OCSP. Add it and check if OCSP is work…

@pfg and @lulu are correct: You need to set the ssl_trusted_certificate to chain.pem for OCSP stapling to work. Also bear in mind that Nginx lazy-loads OCSP responses. So the first request will not have a stapled response, but subsequent requests will. I’ve got some example configs in https://githu…

Thanks guys, adding the following helped to achieve the result: ssl_trusted_certificate /etc/letsencrypt/domain/live/chain.pem

Howto: OCSP Stapling for NGINX

Server

pfg April 2, 2016, 2:32pm 5

AFAIK ssl_trusted_certificate is needed in order to verify OCSP responses, independent of ssl_certificate:

Topic		Replies	Views
Will/does the letsencrypt client create a cert chain usable with OCSP stapling? Server	18	25794	January 14, 2016
How to enable OCSP on Nginx.please Help	6	5718	August 2, 2020
NGINX OCSP not responding Server	4	3596	January 9, 2016
Nginx ssl_stapling does not work Help	8	1404	August 5, 2020
OCSP Stapling - Nginx Server Server	9	8197	April 29, 2017

Howto: OCSP Stapling for NGINX

Related topics