Strange OCSP Errors

i´m on ubuntu 14.04 & nginx 1.9.7 try with http/2 but i get msg in my error Log and the site is untrusted in firefox. no pix, no css is loaded.
ubuntu trusty with OpenSSL 1.0.1f 6 Jan 2014 Bug fixed

OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder:

what can i do?

nginx site-enabled file:

server {
listen 443 ssl http2;
error_page 404 /404.html;
root /var/www/; ## <-- Your only path reference.
include /etc/xxx/hhvm.conf;
include /etc/xxx/block.conf;
access_log /var/log/xxx/example/access.log;
error_log /var/log/xxx/example/error.log;
index index.php index.html;
try_files $uri $uri/ @rewrite;
expires max;

Start the SSL configurations

ssl on;
ssl_certificate /etc/letsencrypt/live/example/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example/fullchain.pem;

thanks for help

1 Like

use fullchain.pem for ssl_certificate

1 Like

@eva2000 Thanks Error is gone but Site is still untrusted

For Nginx-powered web server, I did this to make my site trusted:

cd /etc/letsencrypt/live/example/
cat cert.pem fullchain.pem > bundle.pem

Then I did this in my Nginx config file:
ssl on;
ssl_certificate /etc/letsencrypt/live/example/bundle.pem;
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;

not really needed i just use fullchain.pem and no probs

In fact fullchain.pem is just cat chain.pem cert.pem, you basically built cert -> LE root -> IdentTrust root -> cert. Since the validation stops with the trust anchor found for IdentTrust, it works, but it’s really superfluous at best.

1 Like