AnsweredAssumed Answered

OCSP stapeling in nginx with gloablsign-certificate

Question asked by romanm on Mar 14, 2014
Latest reply on Mar 25, 2014 by romanm



i'm using this nginx-configuration for my site:


server {

    listen       443;



    add_header Strict-Transport-Security max-age=63072000;


    ssl                  on;

    ssl_certificate      /etc/nginx/ssl/domain_crt_with_intermediate.crt;

    ssl_certificate_key  /etc/nginx/ssl/domain.key;


    ssl_session_cache    shared:SSL:10m;

    ssl_session_timeout  10m;


    ssl_prefer_server_ciphers On;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;



    location / {

           root   /var/www/html;

        index  index.php index.html index.htm;

        try_files $uri $uri/ /index.php?q=$uri&$args;



    location ~ \.php$ {

        include        fastcgi_params;


           fastcgi_index  index.php;

        fastcgi_param  SCRIPT_FILENAME  /var/www/html$fastcgi_script_name;



    location ~ /\.ht {

        deny  all;




and tried to activate OCSP stapeling.


I tried

    ssl_stapling on;

    ssl_stapling_verify on;

    ssl_trusted_certificate /etc/nginx/ssl/stapeling.trusted.crt;

    resolver valid=300s;

    resolver_timeout 10s;


but it doesn't work.


I tried it with

openssl s_client -connect -tls1 -tlsextdebug -status

and got this result


OCSP response: no response sent





I thought, that the stapeling.trusted.crt is not correct and found a way to get the right here:


The final openssl-command is:

openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer /tmp/issuer.crt -cert /tmp/server.crt -url


with this result

Error querying OCSP responsder

139908986062504:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=403,Reason=Forbidden

When I try to go in my browser to, i get: "An error occured during the request handling!!"



Can anybody help me? I don''t know what to to next.