Nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

Volkodav · February 12, 2022, 11:51am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command: service nginx restart

It produced this output:
Performing sanity check on nginx configuration:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Stopping nginx.
Waiting for PIDS: 30143.
Performing sanity check on nginx configuration:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"

I upgraded the system 2 days ago - something went wrong with the certs - everything else upgraded without any hiccups Nextcloud incuded

This is the output from Firefox:
https://vadim.com.ru/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false

HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----

MIIDGDCCAgCgAwIBAgIQGY3WBmU/0pGRBYbvgDoXRjANBgkqhkiG9w0BAQsFADBK

MRwwGgYDVQQKExNUcnVlTkFTIChOZXh0Y2xvdWQpMSowKAYDVQQDEyFUcnVlTkFT

IChOZXh0Y2xvdWQpIGxvY2FsIFJvb3QgQ0EwHhcNMjIwMjExMDg0OTEyWhcNMjQw

MjExMDg0OTEyWjAyMRwwGgYDVQQKExNUcnVlTkFTIChOZXh0Y2xvdWQpMRIwEAYD

VQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDd

P+O4lLU9Z0SY/pRh6ewvtpJfbp+NaOOQE1YZv+qT/IJJbPeoHKV1WeEpGR8AOCvi

m7P7k+/SQRE0cTQuOfhaus2kVo7AIQEt7RSUL5TEFJNTQPySTA0ThPPG6NDCWiku

DgLPs43FoRs9saq6vvA/deINbgIDxg9T3gs3p6PUM5JtADp0r6FM6JXqUZNTCzqS

+BvdR6zrTICo4n1/6QRMUHhZPTSY1Na58phTR8rBWilM9YX6ej55psWe3Ozu8Xfe

JDZLN2AxYfAVuez6yOM7SjW5khfm85cGVCzHwZ0bdHCxpOH9CuSLr1HmraSorWZ+

uW+Cv+YleATqaR8FPJYNAgMBAAGjEjAQMA4GA1UdDwEB/wQEAwIDiDANBgkqhkiG

9w0BAQsFAAOCAQEAg/Crov1PviPQQ3EAiT6I/PAdmC0hdfbrVoqdjVgAKhFxa6bq

AdxD8jRREYmV/XTe5/5KJivmTwdSXBuoMREMfoy8BZRvCK1jmGjgWBzsF2Z9Uy5Z

bNlH+OTtgnIf1MIGldoOsYE/oedk/0vIqPoOetfKVwVgIUd0vtWLW4jYDOnZXpB1

2p2SnpGEx6+KS1/qcwxfshJvBehPXk3n7DANMjFdcQZw8uNMqWRKHXctfFcpByjB

z48GHUehDgqBwHE5AcMVtLwHEgIgufRiG19+Cs841xeC00pEkWp0cfBNg1QuM8k9

Bx7XaN/Jufw/i/+noGMuRxiSUixYKrlGeTsW0A==

-----END CERTIFICATE-----

9peppe · February 12, 2022, 12:19pm

Show us the nginx config.

````
paste it like this please.
````

Volkodav · February 12, 2022, 12:25pm

cat nginx.conf

load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_stream_module.so;

user www;
worker_processes auto;

pid /var/run/nginx.pid;

events {
  use kqueue;
  worker_connections 1024;
  multi_accept on;
}
http {

  # Basic settings
  # ----------

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  reset_timedout_connection on;
  keepalive_timeout 65;
  keepalive_requests 1000;
  types_hash_max_size 2048;
  server_tokens off;
  send_timeout 30;
  server_names_hash_max_size 4096;

  # Common limits
  # ----------

  client_max_body_size 100m; # upload size
  client_body_buffer_size 1m;
  client_header_timeout 3m;
  client_body_timeout 3m;

  client_body_temp_path /var/tmp/nginx/client_body_temp;

  proxy_connect_timeout 5;
  proxy_send_timeout 10;
  proxy_read_timeout 10;

  proxy_buffer_size 4k;
  proxy_buffers 8 16k;
  proxy_busy_buffers_size 64k;
  proxy_temp_file_write_size 64k;

  proxy_temp_path /var/tmp/nginx/proxy_temp;

  include mime.types;
  default_type application/octet-stream;

  # Logs format
  # ----------

  log_format main '$remote_addr - $host [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"'
                  'rt=$request_time ut=$upstream_response_time '
                  'cs=$upstream_cache_status';

  log_format cache '$remote_addr - $host [$time_local] "$request" $status '
                   '$body_bytes_sent "$http_referer" '
                   'rt=$request_time ut=$upstream_response_time '
                   'cs=$upstream_cache_status';

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log warn;

  # GZip config
  # ----------

  gzip on;
  gzip_static on;
  gzip_types text/plain text/css text/javascript text/xml application/x-javascript application/javascript application/xml application/json image/x-icon;
  gzip_comp_level 9;
  gzip_buffers 16 8k;
  gzip_proxied expired no-cache no-store private auth;
  gzip_min_length 1000;
  gzip_disable "msie6"
  gzip_vary on;

  # Cache config
  # ----------

  proxy_cache_valid 1m;

  # Virtual host config
  # ----------

  # SSL
  # ----------

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;
  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;

  # intermediate configuration
  # Keep only TLS 1.2 (+ TLS 1.3)
  ssl_protocols TLSv1.2 TLSv1.3;
  # Use only strong ciphers
  ssl_ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  # Use more secure ECDH Curve
  ssl_ecdh_curve X25519:P-521:P-384:P-256;
  # Defend against the BEAST attack
  ssl_prefer_server_ciphers off;

  # OCSP Stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  include /usr/local/etc/nginx/conf.d/*.conf;
}

9peppe · February 12, 2022, 12:26pm

Please add four backticks ```` on the line before and the line after what you pasted

9peppe · February 12, 2022, 12:29pm

Also, when I connect I get a self signed certificate. That one really does not have an ocsp responder url.

Volkodav · February 12, 2022, 12:29pm

Nginx.conf.txt (3.3 KB)

Volkodav · February 12, 2022, 12:30pm

it shouldn't be self-signed.
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: vadim.com.ru
Serial Number: 4a4bc31c2be9d4614690ccef07b94ec6f00
Key Type: RSA
Domains: vadim.com.ru
Expiry Date: 2022-03-25 18:42:35+00:00 (VALID: 41 days)
Certificate Path: /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem

9peppe · February 12, 2022, 12:33pm

It's not the same certificate.

9peppe · February 12, 2022, 12:34pm

Unless... what's in that directory?

Volkodav · February 12, 2022, 12:35pm

I guess I 'll have to change truenas to vadim.com.ru - let me try that first

Volkodav · February 12, 2022, 12:38pm

upstream php-handler {
    server unix:/var/run/nextcloud-php-fpm.sock;
}

# Redirect to HTTPS
server {
    listen 80 default_server;
    listen [::]:80;

    location ^~ /.well-known/acme-challenge {
        # Path to the root of your installation
        root /usr/local/www/nextcloud/;
        try_files $uri $uri/ =404;
    }

    location / {
       return 301 https://$host:443$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name _;

    # HSTS settings
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains;" always;

    include conf.d/nextcloud.inc;
}

9peppe · February 12, 2022, 12:40pm

tell me if therei is a ssl_certificate directive inside that file (doubt it)

(ps: copypaste the backticks, I realize there aren't any on your keyboard)

Volkodav · February 12, 2022, 12:48pm

what the full path to conf.d/nextcloud.inc would be? I went blank on it

9peppe · February 12, 2022, 12:49pm

it should be relative to nginx.conf

Volkodav · February 12, 2022, 12:56pm

I used to have nextcloud folder in /usr/local/www/ - not there anymore
I updated Nextcloud yesterday to ver 23 - maybe they moved things around?!

Volkodav · February 12, 2022, 1:03pm

Hang on please

Volkodav · February 12, 2022, 1:07pm

client_max_body_size 512M;
fastcgi_buffers 64 4K;

# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;

# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy                      "no-referrer"   always;
add_header X-Content-Type-Options               "nosniff"       always;
add_header X-Download-Options                   "noopen"        always;
add_header X-Frame-Options                      "SAMEORIGIN"    always;
add_header X-Permitted-Cross-Domain-Policies    "none"          always;
add_header X-Robots-Tag                         "none"          always;
add_header X-XSS-Protection                     "1; mode=block" always;

# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;

# Path to the root of your installation
root /usr/local/www/nextcloud/;

# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;

# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
    if ( $http_user_agent ~ ^DavClnt ) {
        return 302 /remote.php/webdav/$is_args$args;
    }
}

location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
    # The rules in this block are an adaptation of the rules
    # in `.htaccess` that concern `/.well-known`.

    # Needed to prevent including the scheme, domain and port in the Location header.
    absolute_redirect off;
    location = /.well-known/carddav { return 301 /remote.php/dav/; }
    location = /.well-known/caldav  { return 301 /remote.php/dav/; }

    location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
    location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

    # Let Nextcloud's API for `/.well-known` URIs handle all other
    # requests by passing them to the front-end controller.
    return 301 /index.php$request_uri;
}

# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
    # Required for legacy support
    rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;

    try_files $fastcgi_script_name =404;

    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $path_info;
    # fastcgi_param HTTPS on;

    fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
    fastcgi_param front_controller_active true;     # Enable pretty urls
    fastcgi_pass php-handler;

    fastcgi_intercept_errors on;
    fastcgi_request_buffering off;
}

location ~ \.(?:css|js|svg|gif|png|jpg|ico)$ {
    try_files $uri /index.php$request_uri;
    expires 6M;         # Cache-Control policy borrowed from `.htaccess`
    access_log off;     # Optional: Don't log access to assets
}

location ~ \.woff2?$ {
    try_files $uri /index.php$request_uri;
    expires 7d;         # Cache-Control policy borrowed from `.htaccess`
    access_log off;     # Optional: Don't log access to assets
}

# Rule borrowed from `.htaccess`
location /remote {
    return 301 /remote.php$request_uri;
}

location / {
    try_files $uri $uri/ /index.php$request_uri;
}
''''

Volkodav · February 12, 2022, 1:11pm

@9peppe conf.d/nextcloud.inc

Volkodav · February 12, 2022, 1:20pm

@9peppe I changed "truenas" for "vadim.com.ru" in the nginx.conf and it's all good now - thanks for your help!
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Stopping nginx.
Waiting for PIDS: 30276.
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx.

system · March 14, 2022, 1:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.