Nginx "ssl_stapling" ignored, no OCSP responder URL in the certificate

Question

I'm trying to setup OCSP stapling on Nginx because I ran a test and it suggested the idea and well, you know.

https://sslcheck.globalsign.com/en_GB/sslcheck?host=aj2jewellers.co.uk#176.58.103.165

I'm getting the error:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

Here's the relevant bits of my .conf

server {
# use Google's DNS
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;

ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /pathtossl/www.aj2jewellers.co.uk.crt;
}

This is a question I would ask whoever provided the SSL certificate. — Michael Hampton, Mar 10 '14 at 15:11

score 10 · Accepted Answer · answered Aug 05 '14 at 02:35

The ssl_trusted_certificate option should point to the root certificate and all intermediate certificates of the CA, not your signed certificate. This is made clear in the NGINX documentation here http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_verify. For additional configuration examples, see https://blog.kempkens.io/posts/ocsp-stapling-with-nginx/

Nginx "ssl_stapling" ignored, no OCSP responder URL in the certificate

1 Answers1