OCSP_basic_verify() failed

aris · January 9, 2013, 10:27am

I tried nginx 1.3.10 with ocsp stapling… but I get this error:

2013/01/09 09:14:52 [error] 27663#0: OCSP_basic_verify() failed (SSL:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:Verify error:unable to get local issuer certificate) while
requesting
certificate status, responder: ocsp.startssl.com

my config looks lile this

server {
listen [::]:443 ssl spdy;

ssl on;
ssl_certificate      /etc/ssl/private/www.hellmi.de.pem;
ssl_certificate_key      /etc/ssl/private/www.hellmi.de.key;

## OCSP Stapling
resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;

server_name  www.hellmi.de;

…
}

Posted at Nginx Forum:

casper_the_ghost · January 9, 2013, 10:47am

Hello!

On Wed, Jan 09, 2013 at 04:27:12AM -0500, philipp wrote:

listen [::]:443 ssl spdy;
server_name  www.hellmi.de;

…
}

http://nginx.org/r/ssl_stapling_verify

Quote:

For verification to work, the certificate of the issuer of the
server certificate, the root certificate, and all intermediate
certificates should be configured as trusted using the
ssl_trusted_certificate directive.

–
Maxim D.

casper_the_ghost · January 9, 2013, 11:02am

I have created a trust file both ways:

cat www.hellmi.de.pem > www.hellmi.de.trust
cat subca.pem >> www.hellmi.de.trust
cat ca.pem >> www.hellmi.de.trust

or

cat subca.pem > www.hellmi.de.trust
cat ca.pem >> www.hellmi.de.trust

and configured it as ssl_trusted_certificate, this did not help either.
How
do I create a trusted certificate for a StartCom CA?

This chain looks like this:

StartCom Certification Authority (ca.pem)
StartCom Class 1 Primary Intermediate Server CA (subca.pem)
www.hellmi.de (www.hellmi.de.pem)

Posted at Nginx Forum:

casper_the_ghost · January 14, 2013, 4:02pm

Thanks for your help, I guess I found the problem… I had two vhosts
with
ocsp. But only one host had a working trusted certificate.

Posted at Nginx Forum:

casper_the_ghost · January 11, 2013, 3:48pm

Hello!

On Wed, Jan 09, 2013 at 05:02:11AM -0500, philipp wrote:

and configured it as ssl_trusted_certificate, this did not help either. How
do I create a trusted certificate for a StartCom CA?

This chain looks like this:

StartCom Certification Authority (ca.pem)
StartCom Class 1 Primary Intermediate Server CA (subca.pem)
www.hellmi.de (www.hellmi.de.pem)

Something like

cat sub.class1.server.ca.pem ca.pem > trusted.pem

should be enough (files named to match ones available from
StartCom). I’ve just tested with a free class 1 cert from
StartCom, and it works fine. If you still see errors with
ssl_trusted_certificate configured - you may want to provide more
details.

–
Maxim D.