SSL OCSP stapling won't enable

According to ssllabs.com SSL OCSP stapling is not enabled, even though I
have the following in my http block:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt;
resolver 8.8.4.4 8.8.8.8 valid=600s;
resolver_timeout 15s;

Any idea why? Here is my full ssllabs.com report:
https://www.ssllabs.com/ssltest/analyze.html?d=commando.io

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245528#msg-245528

Only when I set ssl_stapling_verify off;I can get OCSP stapling to
work on my setup. In my experience helps to (re)load the page a few
times before testing with SSLLabs to give the server time to fetch the
OCSP response.

Best regards
MacLemon

I’m using startssl for my certificates so had problems with the
ssl_trusted_certificate too.

just using resolver and ssl_stapling on got mine enabled.

https://www.ssllabs.com/ssltest/analyze.html?d=stevewilson.co.uk

Using openssl on the console’s helpful too:

openssl s_client -connect www.stevewilson.co.uk:443
-tls1 -tlsextdebug -status < /dev/null| grep OCSP

Not working yet gives “OCSP response: no response sent”

give it time to gather the data and it then gives response data.

Steve.

Steve,

Yeah, I am getting OCSP response: no response sent. Should I try
ssl_stapling_verify off;

Any other ideas? Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245549#msg-245549

This configuration is working for me. Perhaps nginx cannot verify the
OCSP
response with the bundle in /etc/pki/tls/certs/ca-bundle.trust.crt ? In
my
ssl_trusted_certificate file, I have these certificates, in order.

C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification
Authority
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287

I put my file in http://pastebin.com/G10e4sRh for reference.
Hope this helps!

Ryanne

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245574#msg-245574

To add a bit more info, I see your site is using a Go Daddy G2 (SHA2)
cert.
In that case, here is the intermediate/root chain you’ll want to use as
ssl_trusted_cetificate.

C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate
Authority - G2
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root
Certificate Authority - G2

http://pastebin.com/gnWDSQ8Z

Ryanne

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245594#msg-245594

Thanks so much, that worked perfectly using
http://pastebin.com/gnWDSQ8Z.

Danke!

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,245528,245598#msg-245598

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs