Hello, OCSP is not working on my raspberrypi2 with nginx 1.9.7 and OpenSSL 1.0.2e. I have compiled both together.
tail /var/log/nginx/error.log 2015/12/04 22:28:21 [error] 14841#0: OCSP response not successful (1: malformedrequest) while requesting certificate status, responder: ocsp.startssl.com 2015/12/04 22:28:29 [error] 14841#0: OCSP response not successful (1: malformedrequest) while requesting certificate status, responder: ocsp.startssl.com 2015/12/04 22:28:30 [error] 14842#0: OCSP response not successful (1: malformedrequest) while requesting certificate status, responder: ocsp.startssl.com Got the ca-bundle.pem from https://www.startssl.com/certs/?C=S;O=D /etc/nginx/sites-enabled $ cat default .... # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/my_ssl_certs/ca-bundle.pem; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ..... OCSP is not working after checks with sslabs and openssl e.g. echo QUIT | openssl s_client -connect www.mydomain.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update' According to https://www.ietf.org/rfc/rfc2560.txt the errors says: .... OCSPResponseStatus ::= ENUMERATED { malformedRequest (1), --Illegal confirmation request .... My StartSSL certificates are SHA2 (https://www.startssl.com/certs/class1/sha2/pem/) In /etc/nginx/sites-enabled/ I have more than one config / domain configured. But it does not matter wether I only configure OCSP in every single file or just default. I only found a Bug message here: " OpenSSL OCSP Bad Request" (http://jfcarter.net/~jimc/documents/bugfix/21-openssl-ocsp.html) saying you have to add: -header "HOST" "ocsp.startssl.com" My options for compiling openssl & nginx have been ./config --prefix=$STATICLIBSSL no-ssl2 no-ssl3 no-shared \ && make depend \ && make \ && make install_sw ./configure --with-cc-opt="-I $STATICLIBSSL/include -I/usr/include" \ --with-ld-opt="-L $STATICLIBSSL/lib -Wl,-rpath -lssl -lcrypto -ldl -lz" \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --pid-path=/var/run/nginx.pid \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --with-pcre=$BPATH/$VERSION_PCRE \ --with-http_ssl_module \ --with-http_v2_module \ --with-file-aio \ --with-ipv6 \ --with-http_gzip_static_module \ --with-http_stub_status_module \ --without-mail_pop3_module \ --without-mail_smtp_module \ --without-mail_imap_module \ && make && make install Any ideas ? Thanks in advance, Alexander Posted at Nginx Forum: https://forum.nginx.org/read.php?2,263279,263279#msg-263279 _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
