How to fix error in nginx related to OCPS, the full logs nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/home/ssl/atetux.com/fullchain.cer"
For the best practice, always test nginx configuration before restart/reload the services
sudo nginx -t # output nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/home/ssl/atetux.com/fullchain.cer" nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
from command above we notice there’s something wrong with the certificate and/or our nginx config. Since I use Let’s Encrypt certificate they have announces ending of OCSP which related to that issue
This happens after the certificate renewed, let’s verify what changes from Letsencrypt certificate
Old certificate
openssl storeutl -noout -text /home/ssl/backup/atetux.com/atetux.com.cer | grep 'Authority Information Access:' -A2 # output Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/
New certificate
openssl storeutl -noout -text /home/ssl/atetux.com/atetux.com.cer | grep 'Authority Information Access:' -A2 # output Authority Information Access: CA Issuers - URI:http://r3.i.lencr.org/
so the the solution is to disable the ssl_stapling
in the server block or virtual hosts. Put comment on below lines
ssl_stapling on; ssl_stapling_verify on; # add # to ignore these items #ssl_stapling on; #ssl_stapling_verify on;
verify the configuration again
sudo nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
We’re good to restart nginx daemon
sudo systemctl restart nginx