nginx：[警告]“ssl_stapling”被忽略，不受支持

Question

It's my first time to use certbot in docker with nginx

• nginx version: 1.23.1
• nginx build: docker (macbre/nginx-http3)
• OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)

nginx throw this error when tring to use ocsp stabling

nginx: [warn] "ssl_stapling" ignored, not supported

cert seems to support ocsp

openssl x509 -in cert.pem -noout -ocsp_uri
# http://r3.o.lencr.org

nginx ssl conf

# =============================================================================
# default Certificates
ssl_certificate     /certs/dir/cert.pem;
ssl_certificate_key /certs/dir/key.pem;
# =============================================================================
ssl_dhparam         /certs/dir/dhparam.pem;

# =============================================================================
# # OCSP staplingenter code here
ssl_stapling            on;
ssl_stapling_verify     on;

# # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /certs/dir/chain.pem;

# # replace with the IP address of your resolver
resolver            1.1.1.1 8.8.8.8 8.8.4.4 valid=1200s;
resolver_timeout    3s;

# =============================================================================
# TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# =============================================================================
# 0-RTT QUIC connection resumption
ssl_early_data  on;

# =============================================================================
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4
# Optimize session cache
# ssl_session_timeout 1d;
ssl_session_timeout 4h;
# about 40000 sessions
ssl_session_cache shared:MozSSL:10m;

# Enable session tickets
ssl_session_tickets off;

Those didn't help:

• http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
• Nginx "ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
• https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
• https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions and more like it
• nginx proxy doesn't cache OCSP responses
• Nginx OCSP_basic_verify:signer certificate not found

and many of this list: https://stackoverflow.com/search?q=nginx+ocsp

---

any body has encountered this issue before?

or could any one tell me how to overcome this?

I want to setup ocsp with nginx

Answer 1

OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)

Based on this discussion it looks like OCSP stapling when using BoringSSL is not fully supported. While there is a patch to add support for OCSP stapling to nginx it needs to have the OCSP response provided as a file it cannot retrieve it automatically from within nginx from the OCSP responder. To cite:

Due to usage of BoringSSL instead of OpenSSL, some directives may not work, eg ssl_conf_command. Besides, direct OCSP stapling via ssl_stapling on; ssl_stapling_verify on; does not work too. You should use ssl_stapling on; ssl_stapling_file /path/to/ocsp;. The OCSP file can be generated via...