bagas
July 6, 2020, 8:49am
1
Hello.
Does not work OCSP stapling.
Test OCSP stapling = No
OCSP response: no response sent
Configuring nginx.
ssl_certificate /usr/local/etc/letsencrypt/live/site.ru/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/site.ru/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/site.ru/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.1.1;
resolver_timeout 5s;
openssl-1.1.1g,1
certbot 1.5.0
bagas:
resolver 127.0.1.1;
Do you run a recursive resolver on the same server?
Also, what do the nginx logs say about OCSP?
1 Like
bagas
July 6, 2020, 10:09am
3
resolver 127.0.1.1;
Yes, I'm running dnsmasq.
Also, what do the nginx logs say about OCSP?
There are no errors.
Osiris
July 6, 2020, 10:38am
4
bagas:
There are no errors.
Then how do you know it doesn't work?
IIRC nginx staple only support stapling as cache, so if it currently has no valid ocsp for request then it it reply to browser without stapling, and patch ocsp server to save it for later use
1 Like
bagas
July 6, 2020, 12:44pm
6
That’s right, as the cache filled up, I saw OCSP stapling Yes
bagas
July 6, 2020, 12:49pm
7
I looked here.
https://www.ssllabs.com/ssltest/
On my computer in the console.
openssl s_client -connect site.ru:443 -status 2>&1 | grep “OCSP”
Now everything is in order, it shows this.
openssl s_client -connect site.ru:443 -status 2>&1 | grep "OCSP"
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
https://www.ssllabs.com/ssltest/ visible OCSP stapling Yes
bagas
July 6, 2020, 12:50pm
8
Thank you all for your help! @Osiris @orangepizza
system
Closed
August 5, 2020, 12:50pm
9
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.