Nginx ssl_stapling does not work

Hello.
Does not work OCSP stapling.
Test OCSP stapling = No
OCSP response: no response sent
Configuring nginx.

ssl_certificate /usr/local/etc/letsencrypt/live/site.ru/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/site.ru/privkey.pem;
ssl_trusted_certificate /usr/local/etc/letsencrypt/live/site.ru/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.1.1;
resolver_timeout 5s;

openssl-1.1.1g,1
certbot 1.5.0

Do you run a recursive resolver on the same server?

Also, what do the nginx logs say about OCSP?

1 Like

resolver 127.0.1.1;

Yes, I’m running dnsmasq.

Also, what do the nginx logs say about OCSP?

There are no errors.

Then how do you know it doesn’t work?

IIRC nginx staple only support stapling as cache, so if it currently has no valid ocsp for request then it it reply to browser without stapling, and patch ocsp server to save it for later use

1 Like

That’s right, as the cache filled up, I saw OCSP stapling Yes

I looked here.
https://www.ssllabs.com/ssltest/

On my computer in the console.
openssl s_client -connect site.ru:443 -status 2>&1 | grep “OCSP”

Now everything is in order, it shows this.

openssl s_client -connect site.ru:443 -status 2>&1 | grep "OCSP"
OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

https://www.ssllabs.com/ssltest/ visible OCSP stapling Yes

Thank you all for your help! @Osiris @orangepizza

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.