[英]Nginx “ssl_stapling” ignored, host not found in OCSP responder “ocsp.comodoca.com”
I'm trying to setup OCSP stapling on Nginx 我正在尝试在Nginx上设置OCSP装订
I'm getting the error: 我收到错误:
"ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
Here's the file .conf 这是文件.conf
server {
ssl_certificate /etc/nginx/myfile.crt;
ssl_certificate_key /etc/nginx/myfile.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/myfile_trusted.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 15s;
}
Please suggest a specific solution. 请提出具体的解决方案。
I've just met the same issue when testing a new nginx config with nginx -t
( run as root ); 我在使用nginx -t
测试新的nginx配置时遇到了同样的问题( 以root身份运行 ); in my case the error message was: 在我的情况下,错误消息是:
2014/11/15 01:38:43 [warn] 5114#0: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.startssl.com/sub/class1/server/ca"
However, I renewed my trial a second time a few seconds later and then it worked. 但是,几秒钟后我再次试用了第二次试用,然后才起作用。
My advice are the following: 我的建议如下:
valid=
parameter and resolver_timeout
directive); 尝试删除无关的选项(第二个解析器地址, valid=
参数和resolver_timeout
指令); ssl_trusted_certificate
file is a bundle of both root CA certificate and intermediate certificate in PEM format (in my case I appended the Class 1 Intermediate Server CA to the root CA with # cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem
). 检查您的ssl_trusted_certificate
文件是PEM格式的根CA证书和中间证书的捆绑包(在我的情况下,我使用# cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem
将Class 1中间服务器CA附加到根CA. # cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem
)。 I just noticed your ssl_trusted_certificate
file ends with .crt
. 我刚刚注意到你的ssl_trusted_certificate
文件以.crt
结尾。 I'm not sure whether this is really relevant but nginx documentation says (emphasis mine): 我不确定这是否真的相关,但nginx文档说 (强调我的):
Syntax:
ssl_trusted_certificate
file ; 语法:ssl_trusted_certificate
文件 ;
Default: — 默认值: -
Context:http, server
上下文:http, server
This directive appeared in version 1.3.7. 该指令出现在1.3.7版本中。
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled. 如果启用了ssl_stapling,则指定具有PEM格式的可信CA证书的文件 , 该证书用于验证客户端证书和OCSP响应。
So you may want to check this first. 所以你可能想先检查一下。
If it may help my OCSP config is: 如果它可以帮助我的OCSP配置是:
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
# see <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling>
ssl_stapling on;
resolver 192.168.1.254;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate https/bundle_certs.pem;
Edit : 192.168.1.254
being my home router LAN IP. 编辑 : 192.168.1.254
是我的家庭路由器LAN IP。 Each time I test nginx config I get the same error the first time, I guess the resolver has to be initialized or something in the like. 每次我测试nginx配置时,我第一次得到相同的错误,我想解析器必须初始化或类似的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.