Am 04.12.22 um 08:04 schrieb blason:
Yes - He is right; everything is revolves around DNS and even my error is
with DNS resolving as it was not able to resolve the ocsp.godaddy.com hence
please troubelshoot from DNS perspetive.
Hello List,
To avoid this problems I prefer https://nginx.org/r/ssl_stapling_file
Some years ago I run a nginx instance handling thousand of vhosts.
The - in practice not notable - reload time was amazing!
attached a simplified 'update_ssl_stapling_file'
It should be run once a day.
The operator should monitor, every 'sll_stapling_file.der' isn't older then 3-4
days
Andreas
#!/bin/sh
set -u
# used files:
#
# cert.pem
# - contain only the server certificate itself
#
# intermediate.pem
# - contain one or more intermediate certificates excluding the root itself
# - may be empty
# - this script assume exactly one intermediate
#
# root.pem
# - the root, unused in this example
#
# cert+intermediate.pem
# - created by 'cat cert.pem intermediate.pem > ssl_certificate.pem'
# - used as https://nginx.org/r/ssl_certificate
#
# key.pem
# - used as https://nginx.org/r/ssl_certificate_key
#
# ssl_stapling_file.der
# - created by this script
# - used as https://nginx.org/r/ssl_stapling_file
_ocsp_uri="$( openssl x509 -in cert.pem -noout -ocsp_uri )"
failed() {
echo >&2 "$0 failed: $1"
rm -f ssl_stapling_file.tmp
exit 1
}
if ! _r="$( openssl ocsp \
-no_nonce \
-respout ssl_stapling_file.tmp \
-CAfile intermediate.pem \
-issuer intermediate.pem \
-cert cert.pem \
-url "${_ocsp_uri}" \
2>&1 )"; then
failed "${_r}"
fi
if ! echo "${_r}" | grep --text --silent -e 'Response verify OK' \
-e 'cert.pem: good2' >/dev/null; then
failed "${_r}"
fi
mv ssl_stapling_file.tmp ssl_stapling_file.der
echo 'ssl_stapling_file.der updated, "nginx -s reload" is recommended'
_______________________________________________
nginx mailing list -- nginx@nginx.org
To unsubscribe send an email to nginx-le...@nginx.org
