How to fix error in nginx related to OCPS, the full logs nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/home/ssl/atetux.com/fullchain.cer"

For the best practice, always test nginx configuration before restart/reload the services

sudo nginx -t
# output
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/home/ssl/atetux.com/fullchain.cer"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

from command above we notice there’s something wrong with the certificate and/or our nginx config. Since I use Let’s Encrypt certificate they have announces ending of OCSP which related to that issue

This happens after the certificate renewed, let’s verify what changes from Letsencrypt certificate
Old certificate

openssl storeutl -noout -text /home/ssl/backup/atetux.com/atetux.com.cer | grep 'Authority Information Access:' -A2
# output
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/

New certificate

openssl storeutl -noout -text /home/ssl/atetux.com/atetux.com.cer | grep 'Authority Information Access:' -A2
# output
Authority Information Access:
CA Issuers - URI:http://r3.i.lencr.org/

so the the solution is to disable the ssl_stapling in the server block or virtual hosts. Put comment on below lines

ssl_stapling on;
ssl_stapling_verify on;
# add # to ignore these items
#ssl_stapling on;
#ssl_stapling_verify on;

verify the configuration again

sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

We’re good to restart nginx daemon

sudo systemctl restart nginx

Leave a comment

Your email address will not be published. Required fields are marked *