Nginx: [warn] "ssl_stapling" ignored, issuer certificate not found


#1

Hi, I have my SSL certificate (via GoDaddy) set up and it’s all good but can’t get OSCP Stapling enabled.

When I add the code (nginx -t) I get this: nginx: [warn] “ssl_stapling” ignored, issuer certificate not found nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful

I used “curl ocsp.digicert.com/ping.html” “You have successfully reached the DigiCert OCSP Service”

I’ve tried many tutorials. I’ve also tried this on nginx, the domain and the default config files to no avail.

Please advise. Thanks.


#2

The issue is exactly the same using EE’s Lets Encrypt method too.


#3

Do you include this in your vhost configuration ? :

# OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    resolver <IP DNS resolver>;

#4

Yeah all those variations don’t work.

Boulder / Lets Encrypt doesn’t support it. Too troublesome.


#5

This thread is outdated, OSCP stapling work without problem with Let’s Encrypt. What is your nginx version and openssl version ?

nginx -v
openssl version

Here the configuration you should have with OSCP stapling : https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2h&hsts=yes&profile=modern


#6