Nginx: [warn] "ssl_stapling" ignored, issuer certificate not found

JourneyGreatest · June 28, 2017, 7:15pm

Hi, I have my SSL certificate (via GoDaddy) set up and it’s all good but can’t get OSCP Stapling enabled.

When I add the code (nginx -t) I get this: nginx: [warn] “ssl_stapling” ignored, issuer certificate not found nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

I used “curl ocsp.digicert.com/ping.html” “You have successfully reached the DigiCert OCSP Service”

I’ve tried many tutorials. I’ve also tried this on nginx, the domain and the default config files to no avail.

Please advise. Thanks.

JourneyGreatest · June 29, 2017, 3:26pm

The issue is exactly the same using EE’s Lets Encrypt method too.

virtubox · June 30, 2017, 11:52am

Do you include this in your vhost configuration ? :

# OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

JourneyGreatest · June 30, 2017, 10:11pm

Yeah all those variations don’t work.

Boulder / Lets Encrypt doesn’t support it. Too troublesome.

virtubox · June 30, 2017, 10:36pm

This thread is outdated, OSCP stapling work without problem with Let’s Encrypt. What is your nginx version and openssl version ?

nginx -v
openssl version

Here the configuration you should have with OSCP stapling : https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2h&hsts=yes&profile=modern

system · November 9, 2018, 2:00pm