Nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

Volkodav · October 3, 2021, 8:49am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command: service nginx restart

It produced this output:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "

My web server is (include version): nginx v 1.20.1

The operating system my web server runs on is (include version):TrueNAS-12.0-U5.1

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.18.0

rg305 · October 3, 2021, 5:44pm

Hi @Volkodav welcome to the LE community forum

If it shows that error every time nginx is restarted, then please post that file here.

Volkodav · October 3, 2021, 5:55pm

Do you mean log error file? I have a feeling this whole mess is because of nginx version 1.20.1 and I read somewhere that OCSP is supported in =>1.3.7
error.log.txt (196.4 KB)

rg305 · October 3, 2021, 5:56pm

No, I mean for you to show the file in the error message:

Volkodav · October 3, 2021, 6:01pm

fullchain.pem (5.5 KB) This one? Bad news is that a newer version is not available in package or in portree which was deprecated anyway

rg305 · October 3, 2021, 6:13pm

hmm...
IT seems that, in your case, since it is using the default trusted path chain which ends with "DST Root CA X3 (expired)", nginx fails to find the relevant OSCP information needed.
see:

I would try removing the last cert from the fullchain.pem file and restart nginx.
If that workaround fixes the problem, you will have to switch to using the alternate trust path chain.
If it does NOT fix the problem, please show the nginx vhost config file that serves that FQDN securely.

Nummer378 · October 3, 2021, 6:17pm

I don't think it has to do with that, as nginx usually only cares about OCSP info for the leaf. To me it looks like some weirdness is going on with the nginx config itself.

rg305 · October 3, 2021, 6:19pm

Step by step...
Inch by inch...
Leaving no leaf unturned...
We will get to the bottom of this!
LOL

Volkodav · October 3, 2021, 6:20pm

nextcloud.conf.txt (6.7 KB)
Here is the config and I have no clue how to remove that one certificate from that bundle

rg305 · October 3, 2021, 6:22pm

VI ?
VIM ?
NANO ?
FTP out, edit with notepad (NOT WORDPAD), FTP back in ?

Nummer378 · October 3, 2021, 6:24pm

The ssl_trusted_certificate directive doesn't belong there. That's for:

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

(Module ngx_http_ssl_module)

I see that you've commented out some lines. Can you uncomment them, but leave this specific directive commented? Don't forget to reload/restart nginx after making changes.

Volkodav · October 3, 2021, 6:24pm

Yeah I am cool with nano - let me try - I still think it must be the nginx version that's a show stopper here

rg305 · October 3, 2021, 6:26pm

When you comment out those lines, then nginx may default to using whatever is in the main config.
Let's have a look at that file too.
maybe:
/etc/nginx/nginx.conf

Oooo look another leaf to look under!

Volkodav · October 3, 2021, 6:33pm

Error

Volkodav · October 3, 2021, 6:35pm

nginx.conf.txt (3.3 KB)

Volkodav · October 3, 2021, 6:37pm

Did that - posted the output after nginx restart

rg305 · October 3, 2021, 6:38pm

These are being globally set:

  # SSL
  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;

  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

  # OCSP Stapling
  ssl_stapling on;
  ssl_stapling_verify on;

I would remove the first three:

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

Volkodav · October 3, 2021, 6:42pm

I did - that's what happened

rg305 · October 3, 2021, 6:44pm

Please use complete sentences.
You did what exactly?

Volkodav · October 3, 2021, 6:48pm

Removed those three as was advised

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

Topic		Replies	Views
Nginx: [warn] “ssl_stapling” ignored, no OCSP responder URL in the certificate Help	25	2476	January 5, 2022
Nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate Help	19	1850	March 14, 2022
Nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate " /usr/local/etc/letsencrypt/live/truenas/fullchain.pem" Help	6	1278	June 7, 2023
Ssl_stapling error nginx Server	2	5719	April 1, 2018
Unable to set the staple-ocsp enhancement for mail.example.com Help	3	638	June 13, 2022

Nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

Related topics