My web server is intentionally set up to only support virtual hosts and TLS SNI. I know that the latter eliminates some ancient web browsers but I don't care about those browsers.
I want to enable OCSP stapling and it seems to be configured correctly in my test vhost (everything else about SSL already works fine - I get an A on the Qualys SSL Labs test) and there are no errors or warnings but "openssl s_client" always returns:
"OCSP response: no response sent"
Yes, I ran the s_client command multiple times to account for the nginx responder delay. I was testing OCSP stapling on just one of my domains. Then I read that the 'default_server' SSL server also has to have OCSP stapling enabled for vhost OCSP stapling to work:
https://gist.github.com/konklone/6532544
This is a huge problem if I want to enable OCSP for my vhosts because my 'default_server' certificate is self-signed (intentional) and running 'configtest' with 'ssl_stapling' options on the default server, of course, results in a warning:
"nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"
Which indicates that it isn't enabled on the default server and subsequent s_client tests (after reloading the config, which, of course, issued the same warning a second time) on the test vhost confirm that there was still no OCSP stapling. It was a long-shot in the first place.
So how do I enable OCSP stapling for my vhosts when the default server cert is self-signed? This seems like a potential bug in the nginx SSL module.
Other useful info: Running nginx 1.6.2 (Stable) built from source. My 'resolver 127.0.0.1' line in my config points at a local BIND9 server that 'dig myvhostdomain.com @localhost' confirms is working just fine - so it isn't a DNS resolver issue as far as I can tell. The error logs are quiet other than the warning I got when I added the OCSP stapling options to 'default_server'.
I want to enable OCSP stapling and it seems to be configured correctly in my test vhost (everything else about SSL already works fine - I get an A on the Qualys SSL Labs test) and there are no errors or warnings but "openssl s_client" always returns:
"OCSP response: no response sent"
Yes, I ran the s_client command multiple times to account for the nginx responder delay. I was testing OCSP stapling on just one of my domains. Then I read that the 'default_server' SSL server also has to have OCSP stapling enabled for vhost OCSP stapling to work:
https://gist.github.com/konklone/6532544
This is a huge problem if I want to enable OCSP for my vhosts because my 'default_server' certificate is self-signed (intentional) and running 'configtest' with 'ssl_stapling' options on the default server, of course, results in a warning:
"nginx: [warn] "ssl_stapling" ignored, issuer certificate not found"
Which indicates that it isn't enabled on the default server and subsequent s_client tests (after reloading the config, which, of course, issued the same warning a second time) on the test vhost confirm that there was still no OCSP stapling. It was a long-shot in the first place.
So how do I enable OCSP stapling for my vhosts when the default server cert is self-signed? This seems like a potential bug in the nginx SSL module.
Other useful info: Running nginx 1.6.2 (Stable) built from source. My 'resolver 127.0.0.1' line in my config points at a local BIND9 server that 'dig myvhostdomain.com @localhost' confirms is working just fine - so it isn't a DNS resolver issue as far as I can tell. The error logs are quiet other than the warning I got when I added the OCSP stapling options to 'default_server'.