[英]nginx: [warn] "ssl_stapling" ignored, not supported
It's my first time to use certbot in docker with nginx这是我第一次在 docker 和 nginx 中使用 certbot
- nginx version: 1.23.1
nginx 版本:1.23.1
- nginx build: docker (macbre/nginx-http3)
nginx 构建:docker (macbre/nginx-http3)
- OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
OpenSSL 1.1.1(兼容;BoringSSL)(与 BoringSSL 一起运行)
nginx throw this error when tring to use ocsp stabling nginx 尝试使用 ocsp 稳定时抛出此错误
nginx: [warn] "ssl_stapling" ignored, not supported
cert seems to support ocsp证书似乎支持 ocsp
openssl x509 -in cert.pem -noout -ocsp_uri
# http://r3.o.lencr.org
nginx ssl conf nginx ssl 会议
# =============================================================================
# default Certificates
ssl_certificate /certs/dir/cert.pem;
ssl_certificate_key /certs/dir/key.pem;
# =============================================================================
ssl_dhparam /certs/dir/dhparam.pem;
# =============================================================================
# # OCSP staplingenter code here
ssl_stapling on;
ssl_stapling_verify on;
# # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /certs/dir/chain.pem;
# # replace with the IP address of your resolver
resolver 1.1.1.1 8.8.8.8 8.8.4.4 valid=1200s;
resolver_timeout 3s;
# =============================================================================
# TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# =============================================================================
# 0-RTT QUIC connection resumption
ssl_early_data on;
# =============================================================================
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4
# Optimize session cache
# ssl_session_timeout 1d;
ssl_session_timeout 4h;
# about 40000 sessions
ssl_session_cache shared:MozSSL:10m;
# Enable session tickets
ssl_session_tickets off;
Those didn't help:
那些没有帮助:
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
- Nginx "ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
Nginx “ssl_stapling”被忽略,在 OCSP 响应者“ocsp.comodoca.com”中找不到主机
- https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
- https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions and more like it
https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions等等
- nginx proxy doesn't cache OCSP responses
nginx 代理不缓存 OCSP 响应
- Nginx OCSP_basic_verify:signer certificate not found
Nginx OCSP_basic_verify:未找到签署者证书
and many of this list: https://stackoverflow.com/search?q=nginx+ocsp
以及此列表中的许多内容: https://stackoverflow.com/search?q=nginx+ocsp
any body has encountered this issue before?以前有没有人遇到过这个问题?
or could any one tell me how to overcome this?或者谁能告诉我如何克服这个问题?
I want to setup ocsp with nginx我想用 nginx 设置 ocsp
OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
OpenSSL 1.1.1(兼容;BoringSSL)(与 BoringSSL 一起运行)
Based on this discussion it looks like OCSP stapling when using BoringSSL is not fully supported.基于此讨论,看起来不完全支持使用 BoringSSL 时的 OCSP 装订。 While there is a patch to add support for OCSP stapling to nginx it needs to have the OCSP response provided as a file it cannot retrieve it automatically from within nginx from the OCSP responder.
虽然有一个补丁可以将对 OCSP 装订的支持添加到 nginx,但它需要将 OCSP 响应作为文件提供,它无法从 nginx 中自动从 OCSP 响应器检索它。 To cite:
引用:
Due to usage of BoringSSL instead of OpenSSL, some directives may not work, eg ssl_conf_command.
由于使用 BoringSSL 而不是 OpenSSL,某些指令可能不起作用,例如 ssl_conf_command。 Besides, direct OCSP stapling via ssl_stapling on;
此外,直接通过 ssl_stapling on 进行 OCSP 装订; ssl_stapling_verify on;
ssl_stapling_verify 开启; does not work too.
也不行。 You should use ssl_stapling on;
你应该使用 ssl_stapling; ssl_stapling_file /path/to/ocsp;.
ssl_stapling_file /path/to/ocsp;. The OCSP file can be generated via...
OCSP文件可以通过...生成
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.