Strange OCSP Errors


#1

Hello,
i´m on ubuntu 14.04 & nginx 1.9.7 try with http/2 but i get msg in my error Log and the site is untrusted in firefox. no pix, no css is loaded.
ubuntu trusty with OpenSSL 1.0.1f 6 Jan 2014 Bug fixed

OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.int-x1.letsencrypt.org

what can i do?

nginx site-enabled file:

server {
listen 443 ssl http2;
server_name example.net;
error_page 404 /404.html;
root /var/www/example.net; ## <-- Your only path reference.
include /etc/xxx/hhvm.conf;
include /etc/xxx/block.conf;
access_log /var/log/xxx/example/access.log;
error_log /var/log/xxx/example/error.log;
index index.php index.html;
try_files $uri $uri/ @rewrite;
expires max;

Start the SSL configurations

ssl on;
ssl_certificate /etc/letsencrypt/live/example/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example/fullchain.pem;

thanks for help


#2

use fullchain.pem for ssl_certificate


#3

@eva2000 Thanks Error is gone but Site is still untrusted


#4

For Nginx-powered web server, I did this to make my site trusted:

cd /etc/letsencrypt/live/example/
cat cert.pem fullchain.pem > bundle.pem

Then I did this in my Nginx config file:
ssl on;
ssl_certificate /etc/letsencrypt/live/example/bundle.pem;
ssl_certificate_key /etc/letsencrypt/live/example/privkey.pem;


#5

not really needed i just use fullchain.pem and no probs https://le12.http2ssl.xyz/


#6

In fact fullchain.pem is just cat chain.pem cert.pem, you basically built cert -> LE root -> IdentTrust root -> cert. Since the validation stops with the trust anchor found for IdentTrust, it works, but it’s really superfluous at best.