SSL OCSP stapling won't enable

According to SSL OCSP stapling is not enabled, even though I
have the following in my http block:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/;
resolver valid=600s;
resolver_timeout 15s;

Any idea why? Here is my full report:
SSL Server Test: (Powered by Qualys SSL Labs)

Posted at Nginx Forum:

Only when I set ssl_stapling_verify off;I can get OCSP stapling to
work on my setup. In my experience helps to (re)load the page a few
times before testing with SSLLabs to give the server time to fetch the
OCSP response.

Best regards

I’m using startssl for my certificates so had problems with the
ssl_trusted_certificate too.

just using resolver and ssl_stapling on got mine enabled.

Using openssl on the console’s helpful too:

openssl s_client -connect
-tls1 -tlsextdebug -status < /dev/null| grep OCSP

Not working yet gives “OCSP response: no response sent”

give it time to gather the data and it then gives response data.



Yeah, I am getting OCSP response: no response sent. Should I try
ssl_stapling_verify off;

Any other ideas? Thanks.

Posted at Nginx Forum:

This configuration is working for me. Perhaps nginx cannot verify the
response with the bundle in /etc/pki/tls/certs/ ? In
ssl_trusted_certificate file, I have these certificates, in order.

C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification
C=US, ST=Arizona, L=Scottsdale,, Inc.,
OU=Sign In, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287

I put my file in Go Daddy Nginx ssl_trusted_certificate - for reference.
Hope this helps!


Posted at Nginx Forum:

To add a bit more info, I see your site is using a Go Daddy G2 (SHA2)
In that case, here is the intermediate/root chain you’ll want to use as

C=US, ST=Arizona, L=Scottsdale,, Inc.,
OU=Repository, CN=Go Daddy Secure Certificate
Authority - G2
C=US, ST=Arizona, L=Scottsdale,, Inc., CN=Go Daddy Root
Certificate Authority - G2


Posted at Nginx Forum:

Thanks so much, that worked perfectly using
Go Daddy G2 Nginx ssl_trusted_certificate -


Posted at Nginx Forum: