Nginx“ssl_stapling”被忽略,主机在OCSP响应器中找不到“ocsp.comodoca.com”
[英]Nginx “ssl_stapling” ignored, host not found in OCSP responder “ocsp.comodoca.com”
问题描述
I'm trying to setup OCSP stapling on Nginx 
我正在尝试在Nginx上设置OCSP装订
I'm getting the error: 我收到错误:
"ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
Here's the file .conf 这是文件.conf
server {
ssl_certificate /etc/nginx/myfile.crt;
ssl_certificate_key /etc/nginx/myfile.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/myfile_trusted.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 15s;
}
Please suggest a specific solution. 请提出具体的解决方案。
1 个解决方案
解决方案1
3 2014-11-15 01:27:52
I've just met the same issue when testing a new nginx config with nginx -t ( run as root ); 我在使用nginx -t测试新的nginx配置时遇到了同样的问题( 以root身份运行 ); in my case the error message was: 在我的情况下,错误消息是:
2014/11/15 01:38:43 [warn] 5114#0: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.startssl.com/sub/class1/server/ca"
However, I renewed my trial a second time a few seconds later and then it worked. 但是,几秒钟后我再次试用了第二次试用,然后才起作用。
My advice are the following: 我的建议如下:
- check that the configured resolver is responding (but I believe you used Google Public DNS so they should be okay); 检查配置的解析器是否正在响应(但我相信您使用的是Google Public DNS,因此它们应该没问题);
- try to remove the extraneous options (second resolver address,
valid=parameter andresolver_timeoutdirective);尝试删除无关的选项(第二个解析器地址, valid=参数和resolver_timeout指令); - check that your
ssl_trusted_certificatefile is a bundle of both root CA certificate and intermediate certificate in PEM format (in my case I appended the Class 1 Intermediate Server CA to the root CA with# cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem).检查您的ssl_trusted_certificate文件是PEM格式的根CA证书和中间证书的捆绑包(在我的情况下,我使用# cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem将Class 1中间服务器CA附加到根CA.# cat ca.pem sub.class1.server.ca.pem > bundle_certs.pem)。
I just noticed your ssl_trusted_certificate file ends with .crt . 我刚刚注意到你的ssl_trusted_certificate文件以.crt结尾。 I'm not sure whether this is really relevant but nginx documentation says (emphasis mine): 我不确定这是否真的相关,但nginx文档说 (强调我的):
Syntax:
ssl_trusted_certificatefile ;ssl_trusted_certificate文件 ;
Default: —
Context:http, serverhttp, serverThis directive appeared in version 1.3.7.
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
So you may want to check this first. 所以你可能想先检查一下。
If it may help my OCSP config is: 如果它可以帮助我的OCSP配置是:
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
# see <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling>
ssl_stapling on;
resolver 192.168.1.254;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate https/bundle_certs.pem;
Edit : 192.168.1.254 being my home router LAN IP. 编辑 : 192.168.1.254是我的家庭路由器LAN IP。 Each time I test nginx config I get the same error the first time, I guess the resolver has to be initialized or something in the like. 每次我测试nginx配置时,我第一次得到相同的错误,我想解析器必须初始化或类似的东西。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.