Its official that OCSP is now drop, so I will need to migrate all my server to include CRL instead. However I cant find information on how to get CRL certs, so currently my www.9cubes.com is getting "Validation error
CRL ERROR: IOException occurred" from www.ssllabs.com
Need help in getting this solved. Currently, the command SSL stapling
#ssl_stapling on;
#ssl_stapling_verify on;
and add
ssl_crl /etc/location/cert.pem
However, I believe I'm choosing the wrong pem out of 4 PEM available, which is
cert, fullchain, chain, and privkey. Does anyone know which one?
Somewhat ironically the nginx ssl_crl directive docs at Module ngx_http_ssl_module are failing to load for me currently but you seem to have fixed this now?
hi everyone, first of all thank you for all the help. However still confuse on how to solve problem from www.ssllabs.com result which is pointing out that an error occurs
so I'm still not sure on how to fixed this. Maybe you guys have some idea?
Unlike OCSPstapling, I believe CRL is needed on the opposite side of the TLS connection to verify the validity of the certificate presented. I think you are configuring an HTTPS server, so the CRL is needed only on the web client side.
Yes, my fellow volunteers are correct: from the webserver side there's nothing you can do with regard to CRLs for regular server certificates. They can't be stapled like OCSP responses. That would be insane, stapling such a large data blob to the handshake compared to small OCSP responses.
It's the job of the client to read out the CRL URI and, if they want to, fetch it and check it. Or use one of the other derivative implementations like CRLite.
Got it. So basically, we will be unable to fix this error. However, its HTTPS is already fixed and secure. right? Again, thank you, everyone appreciated
Interestingly, I ran an SSL Labs test for your domain late last night and it did not show the CRL IO error. Although, it does again this morning. Other domains sometimes show that error and sometimes not. It is definitely a problem with the SSL Labs test itself.