D
D
Dmitry Averin2015-08-14 16:15:02
Nginx
Dmitry Averin, 2015-08-14 16:15:02

How to achieve OCSP stapling Yes on Nginx for certificates from WoSign?

Hello, friends!
I can't get OCSP stapling Yes on Nginx for certificates from WoSign.
Debian 7, Nginx 1.8.0 (standard package with dotdeb).
The rating of the site is A +, but OCSP stapling - No I did
everything according to the instructions from Habr. Config below.
Maybe some port needs to be opened additionally?
Or maybe my Nginx doesn't support OCSP stapling?
What would you recommend to see/check?
Thanks in advance.

server {
        listen 80;
        listen [::]:80;

        listen 443 ssl spdy;
        
        root /path/to/public_html;
    
 server_name domen.ru;
 ssl_dhparam /path/to/dh.key;
 ssl_certificate /path/to/domen.crt;
 ssl_certificate_key /path/to/domen.key;
 ssl_trusted_certificate /path/to/ca-certs.pem;

 ssl_stapling on;
 ssl_stapling_verify on;
 ssl_stapling_responder http://ocsp2.wosign.cn/ca2g2/server1/free;

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;

 add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;

 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 5m;
 ssl_ecdh_curve secp521r1;

 ssl_prefer_server_ciphers on;

 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;

Answer the question

In order to leave comments, you need to log in

1 answer(s)
E
Ergil Osin, 2015-08-14
@averuga

Try to contact ocsp6.wosign.com
Their servers don't always answer, alas.
Or try checking later.
Right now we see OCSP ERROR: Exception: Read timed out when checking, but yesterday everything was fine. This is a WoSign problem

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question