Nginx: [warn] “ssl_stapling” ignored, no OCSP responder URL in the certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command: service nginx restart

It produced this output: Edit /etc/motd to change this login announcement.
root@Nextcloud:~ # service nginx restart
Performing sanity check on nginx configuration:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl
My web server is (include version):nginx-1.20.2

The operating system my web server runs on is (include version):TrueNAS-12.0-U6.1

My hosting provider, if applicable, is:self

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.21.0

I had a similar error 2 months ago and it was fixed since the certs were not downloaded correctly - I checked them based on the previous erros but did not see any. This time I have this error after I upgraded Nextcloud to v 22.2.3

Please show the file:

1 Like

fullchain.pem (1.1 KB)
@rg305 - sorry for the delay - had to step out.

Well that is definitely a problem.
It only contains one cert; And that cert has nothing to do with LE and I doubt has any OSCP:

Let's have a look at your nginx config:
nginx -T

1 Like

@rg305 - Here you go
nginx.conf.txt (3.3 KB)

There's more to nginx -T output.
[not just the nginx.conf file]

And also show:
ls -ltr /usr/local/etc/letsencrypt/live/truenas/

1 Like

ltr
I can't ssh into my Nextcloud jail for some reason now too. Only have access to shell from TrueNas interface. Don't know how to get the full output of nginx -T to you

What shows?:
cerrtbot certificates

1 Like


I guess the path is wrong? vadim.com.ru instead of truenas?

We haven't seen enough of your nginx config to be sure.
Please show:
ls -ltr /usr/local/etc/nginx/conf.d/*.conf

1 Like

Also, try changing this line in your nginx.conf file:

  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

To:

  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  #ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;
1 Like

Let's have a look at that file.

That's likely the one that needs the LE cert.

1 Like

nextcloud.conf.txt (891 Bytes)

hmm...
Let's have a look at this file:
/usr/local/etc/nginx/conf.d/nextcloud.inc

1 Like

nextcloud.inc.txt (5.4 KB)

Commented it out - same result

At the risk of interrupting @rg305 plan I will say yes, change the path to vadim.com.ru. Rudy was making sure you did not have another set of ssl_certificate lines at the server level where they usually are.

You only had these lines in one place so changing the path in your nginx.conf should work.

  ssl_certificate     /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem;
1 Like

@MikeMcQ - Yes it sure worked - @rg305 really pointed the error out and you've just confirmed my guess. Thanks a lot for your help guys. These Nextcloud updates are always borked this way or another and I probably shouldn't have updated the jail along with it. Will see what happens next time.

2 Likes

The nextrcloud.conf file has no lines to include any cert and uses a default server name "_".
It is NOT configured to "work".
This only "works" by lack of choice.

The proper solution is to fix it so that, if you ever add another name, things will always continue to "work" as you expect them to.

In my book, this is not yet solved (at least not to my satisfaction)..

1 Like