Ssl_stapling error nginx


Hi everyone!

I have been sifting through nginx error logs and have noticed the following message several times:
[warn] 782#782: "ssl_stapling" ignored, host not found in OCSP responder "" in the certificate "/etc/letsencrypt/live/<domain>/fullchain.pem"

I have been testing OCSP stapling both manually and automatically (using Qualys SSL labs) and verified for myself that OCSP works. Here is my ssl configuration for nginx:

gzip off;

ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/<domain>/chain.pem;

This message only appeared 10 times in logs in the past 4 days. I guess it might be due to the fact that I haven’t specified a DNS resolver in my configuration, but I can’t verify this hypothesis since it is hard to reproduce this issue. Any thoughts or pointers on this? Your help is very much appreciated!

For the reference: I have used webroot plugin to obtain a certificate. I use the latest version of certbot (0.21.1) on Ubuntu 17.10 x64.


from nginx documentation

For a resolution of the OCSP responder hostname, the resolver directive should also be specified.

Syntax: resolver address ... [valid=time] [ipv6=on|off];
Context:http, server, location

as soon as the default value is empty, OCSP will not work at all if no resolver directive is specified.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.