I tried nginx 1.3.10 with ocsp stapling... but I get this error:
2013/01/09 09:14:52 [error] 27663#0: OCSP_basic_verify() failed (SSL:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:Verify error:unable to get local issuer certificate) while
requesting
certificate status, responder: ocsp.startssl.com
my config looks lile this
server {
listen [::]:443 ssl spdy;
ssl on;
ssl_certificate /etc/ssl/private/www.hellmi.de.pem;
ssl_certificate_key /etc/ssl/private/www.hellmi.de.key;
## OCSP Stapling
resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;
server_name www.hellmi.de;
...
}
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,234832,234832#msg-234832
on 2013-01-09 10:27
on 2013-01-09 10:47
Hello! On Wed, Jan 09, 2013 at 04:27:12AM -0500, philipp wrote: > listen [::]:443 ssl spdy; > server_name www.hellmi.de; > > ... > } http://nginx.org/r/ssl_stapling_verify Quote: For verification to work, the certificate of the issuer of the server certificate, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive. -- Maxim Dounin http://nginx.com/support.html
on 2013-01-09 11:02
I have created a trust file both ways: cat www.hellmi.de.pem > www.hellmi.de.trust cat subca.pem >> www.hellmi.de.trust cat ca.pem >> www.hellmi.de.trust or cat subca.pem > www.hellmi.de.trust cat ca.pem >> www.hellmi.de.trust and configured it as ssl_trusted_certificate, this did not help either. How do I create a trusted certificate for a StartCom CA? This chain looks like this: StartCom Certification Authority (ca.pem) StartCom Class 1 Primary Intermediate Server CA (subca.pem) www.hellmi.de (www.hellmi.de.pem) Posted at Nginx Forum: http://forum.nginx.org/read.php?2,234832,234836#msg-234836
on 2013-01-11 15:48
Hello! On Wed, Jan 09, 2013 at 05:02:11AM -0500, philipp wrote: > > and configured it as ssl_trusted_certificate, this did not help either. How > do I create a trusted certificate for a StartCom CA? > > This chain looks like this: > > StartCom Certification Authority (ca.pem) > StartCom Class 1 Primary Intermediate Server CA (subca.pem) > www.hellmi.de (www.hellmi.de.pem) Something like cat sub.class1.server.ca.pem ca.pem > trusted.pem should be enough (files named to match ones available from StartCom). I've just tested with a free class 1 cert from StartCom, and it works fine. If you still see errors with ssl_trusted_certificate configured - you may want to provide more details. -- Maxim Dounin http://nginx.com/support.html
on 2013-01-14 16:02
Thanks for your help, I guess I found the problem... I had two vhosts with ocsp. But only one host had a working trusted certificate. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,234832,235032#msg-235032
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.