According to ssllabs.com SSL OCSP stapling is not enabled, even though I have the following in my http block: ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt; resolver 8.8.4.4 8.8.8.8 valid=600s; resolver_timeout 15s; Any idea why? Here is my full ssllabs.com report: https://www.ssllabs.com/ssltest/analyze.html?d=commando.io Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245528#msg-245528
on 2013-12-14 08:07
on 2013-12-14 21:13
Only when I set `ssl_stapling_verify off;`I can get OCSP stapling to work on my setup. In my experience helps to (re)load the page a few times before testing with SSLLabs to give the server time to fetch the OCSP response. Best regards MacLemon
on 2013-12-15 02:38
I'm using startssl for my certificates so had problems with the ssl_trusted_certificate too. just using resolver and ssl_stapling on got mine enabled. <https://www.ssllabs.com/ssltest/analyze.html?d=ste... Using openssl on the console's helpful too: openssl s_client -connect www.stevewilson.co.uk:443 \ -tls1 -tlsextdebug -status < /dev/null| grep OCSP Not working yet gives "OCSP response: no response sent" give it time to gather the data and it then gives response data. Steve.
on 2013-12-16 02:44
Steve, Yeah, I am getting OCSP response: no response sent. Should I try ssl_stapling_verify off; Any other ideas? Thanks. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245549#msg-245549
on 2013-12-16 17:14
This configuration is working for me. Perhaps nginx cannot verify the OCSP response with the bundle in /etc/pki/tls/certs/ca-bundle.trust.crt ? In my ssl_trusted_certificate file, I have these certificates, in order. C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certificates.godaddy.com/repository, CN=Go Daddy Secure Certification Authority/serialNumber=07969287 I put my file in http://pastebin.com/G10e4sRh for reference. Hope this helps! Ryanne Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245574#msg-245574
on 2013-12-16 17:23
To add a bit more info, I see your site is using a Go Daddy G2 (SHA2) cert. In that case, here is the intermediate/root chain you'll want to use as ssl_trusted_cetificate. C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 http://pastebin.com/gnWDSQ8Z Ryanne Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245594#msg-245594
on 2013-12-16 20:27
Thanks so much, that worked perfectly using http://pastebin.com/gnWDSQ8Z. Danke! Posted at Nginx Forum: http://forum.nginx.org/read.php?2,245528,245598#msg-245598
Enable email notification
Enable multi-page view