系统相关
首页 > 系统相关> > Nginx“ ssl_stapling”被忽略,在OCSP响应程序“ ocsp.comodoca.com”中找不到主机

Nginx“ ssl_stapling”被忽略,在OCSP响应程序“ ocsp.comodoca.com”中找不到主机

作者:互联网

我正在尝试在Nginx上设置OCSP装订

我收到错误消息:

"ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"

这是文件.conf

server {
    ssl_certificate /etc/nginx/myfile.crt;
    ssl_certificate_key /etc/nginx/myfile.key;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/myfile_trusted.crt;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 15s;
}

请提出具体解决方案.

解决方法:

使用nginx -t(以root用户身份运行)测试新的nginx配置时,我遇到了同样的问题;就我而言,错误消息是:

2014/11/15 01:38:43 [warn] 5114#0: "ssl_stapling" ignored, host not found in OCSP responder "ocsp.startssl.com/sub/class1/server/ca"

但是,几秒钟后,我第二次更新了试用版,然后就可以了.

我的建议如下:

>检查已配置的解析器是否正在响应(但是我相信您使用了Google Public DNS,因此应该可以);
>尝试删除多余的选项(第二个解析器地址,valid =参数和resolver_timeout指令);
>检查您的ssl_trusted_certificate文件是否同时包含根CA证书和PEM格式的中间证书(在本例中,我将Class 1中间服务器CA附加到#cat ca.pem sub.class1.server.ca的根CA. pem> bundle_certs.pem).

我只是注意到您的ssl_trusted_certificate文件以.crt结尾.我不确定这是否真的有用,但是nginx documentation says(强调我的意思):

Syntax: ssl_trusted_certificate file;
Default: —
Context: http, server

This directive appeared in version 1.3.7.

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

因此,您可能需要先检查一下.

如果可以帮助我的OCSP配置,请执行以下操作:

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
# see <http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling>
ssl_stapling on;
resolver 192.168.1.254;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate https/bundle_certs.pem;

编辑:192.168.1.254是我的家庭路由器LAN IP.每次我第一次测试nginx config时,都会遇到相同的错误,我猜测解析器必须初始化或类似的东西.

标签:nginx,ssl-certificate
来源: https://codeday.me/bug/20191121/2052844.html