Ssl_stapling error nginx


#1

Hi everyone!

I have been sifting through nginx error logs and have noticed the following message several times:
[warn] 782#782: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/<domain>/fullchain.pem"

I have been testing OCSP stapling both manually and automatically (using Qualys SSL labs) and verified for myself that OCSP works. Here is my ssl configuration for nginx:

gzip off;

ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/<domain>/chain.pem;

This message only appeared 10 times in logs in the past 4 days. I guess it might be due to the fact that I haven’t specified a DNS resolver in my configuration, but I can’t verify this hypothesis since it is hard to reproduce this issue. Any thoughts or pointers on this? Your help is very much appreciated!

For the reference: I have used webroot plugin to obtain a certificate. I use the latest version of certbot (0.21.1) on Ubuntu 17.10 x64.


#2

from nginx documentation

For a resolution of the OCSP responder hostname, the resolver directive should also be specified.

Syntax: resolver address ... [valid=time] [ipv6=on|off];
Default:—
Context:http, server, location

as soon as the default value is empty, OCSP will not work at all if no resolver directive is specified.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.