User Tools

Site Tools


wiki:enable_ocsp_stapling

Enable OCSP stapling

nginx

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/ca_stapling.pem;

ca_stapling.pem should contain (from top to bottom) intermediate cert> root cert. Otherwise you might get an error like:

2021/10/26 15:46:04 [error] 22172#22172: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:self signed certificate in certificate chain) while requesting certificate status, responder: ocsp.starfieldtech.com, peer: 192.xx.xx.xx:80, certificate: "/etc/nginx/certs/yourfullcert.crt"

This shouldn't however be an issue with Letsencrypt certificates as in there you shouldn't need the ssl_trusted_certificate directive.

You can test on https://www.ssllabs.com/ or like this:

echo QUIT | openssl s_client -servername yourdomain.com:443 -connect youripordomain:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

It should return the response data.

Tested on

  • Debian 10
  • nginx/1.21.3

See also

References

wiki/enable_ocsp_stapling.txt · Last modified: 2021/10/27 16:45 by antisa

Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki