3

I'm setup OCSP stapling on Nginx and get error

OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com

This is nginx file config

server {
     ssl_certificate /etc/nginx/crtfile.crt;
     ssl_certificate_key /etc/nginx/keyfile.key;

     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_trusted_certificate /etc/nginx/crttrusted.crt;
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 15s;
}

Please suggest a specific solution.

user3171689
  • 303
  • 1
  • 5
  • 15
  • 1
    This question appears to be off-topic because it is not about programming. See [What topics can I ask about here](https://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Server Fault](http://serverfault.com/) or [Webmaster Stack Exchange](http://webmasters.stackexchange.com/) would be a better place to ask. – jww Jun 26 '14 at 12:49
  • does my answer below help you? – Anatoly Jul 18 '14 at 20:40

2 Answers2

1

You need to have a CNAME to make it happen. How should it look like:

SPECIAL_KEY.your_domain.com CNAME SPECIAL_KEY.comodoca.com

Obtain the special key directly from Comodo.

Then check your certificate chain, please be careful with concatenation in proper order, see details here.

Anatoly
  • 15,298
  • 5
  • 53
  • 77
  • I haven't yet understand :|. This problem is in config nginx ? visit http://trac.nginx.org/nginx/ticket/556 . Change content file .crt, that way is suitable ? – user3171689 Jul 28 '14 at 04:27
  • @mikhailov I'm having the same issue. Called Comodo and mentioned the CNAME, and the support rep was clueless. Have you done this before with Comodo? Any URL to request the SPECIAL_KEY? – anthumchris Feb 13 '15 at 23:19
  • @Chris, try to mention "domain validation with DNS CNAME record", then it makes things easier to explain to support reps. DNS record can be also used to provide OCSP stapliing. – Anatoly Feb 14 '15 at 18:32
  • I switeched to AlphaSSL. I've used it before and it just works with OCSP. Comodo gave me the runaround and couldn't solve the issue. – anthumchris Feb 20 '15 at 03:59
1

The issue for me ended up being the intermediate certificate wasn't set up properly - I needed to concatenate the intermediate cert with the normal cert into a single file and use that file under 'ssl_certificate'.

e.g. cat www.example.com.crt bundle.crt > www.example.com.chained.crt

As detailed here: http://nginx.org/en/docs/http/configuring_https_servers.html#chains

Rob Middleton
  • 111
  • 5