nginx:[警告] "ssl_stapling“被忽略,不受支持
nginx:[警告] "ssl_stapling“被忽略,不受支持
提问于 2022-10-09 23:43:04
这是我第一次在与nginx对接时使用certbot
- nginx版本: 1.23.1
- nginx构建: docker (macbre/nginx 3)
- OpenSSL 1.1.1 (兼容;BoringSSL) (与BoringSSL一起运行)
当尝试使用ocsp稳定时,nginx抛出此错误。
nginx: [warn] "ssl_stapling" ignored, not supportedcert似乎支持ocsp。
openssl x509 -in cert.pem -noout -ocsp_uri
# http://r3.o.lencr.orgnginx ssl conf
# =============================================================================
# default Certificates
ssl_certificate /certs/dir/cert.pem;
ssl_certificate_key /certs/dir/key.pem;
# =============================================================================
ssl_dhparam /certs/dir/dhparam.pem;
# =============================================================================
# # OCSP staplingenter code here
ssl_stapling on;
ssl_stapling_verify on;
# # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /certs/dir/chain.pem;
# # replace with the IP address of your resolver
resolver 1.1.1.1 8.8.8.8 8.8.4.4 valid=1200s;
resolver_timeout 3s;
# =============================================================================
# TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# =============================================================================
# 0-RTT QUIC connection resumption
ssl_early_data on;
# =============================================================================
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4
# Optimize session cache
# ssl_session_timeout 1d;
ssl_session_timeout 4h;
# about 40000 sessions
ssl_session_cache shared:MozSSL:10m;
# Enable session tickets
ssl_session_tickets off;这些都没有帮助:
- 装订
- “装订”被忽略,在OCSP响应程序"ocsp.comodoca.com“中找不到主机
- https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
- https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions和更喜欢它
- nginx代理不缓存OCSP响应
- 验证:找不到签字人证书
这个列表中的许多内容:https://stackoverflow.com/search?q=nginx+ocsp
以前有没有人遇到过这个问题?
或者谁能告诉我如何克服这个问题?
我想用nginx安装ocsp
回答 1
Stack Overflow用户
回答已采纳
发布于 2022-10-10 06:06:58
OpenSSL 1.1.1 (兼容;BoringSSL) (与BoringSSL一起运行)
基于这一讨论,当使用BoringSSL时,似乎不完全支持OCSP装订。虽然有个补丁要将对OCSP装订的支持添加到nginx,但它需要将OCSP响应作为一个文件提供,但它不能从nginx中从OCSP响应程序自动检索它。举个例子:
由于使用了BoringSSL而不是OpenSSL,一些指令可能无法工作,例如ssl_conf_command。此外,通过ssl_stapling on直接装订OCSP;ssl_stapling_verify on;也不工作。您应该使用ssl_stapling on;ssl_stapling_file /path/to/ocsp;。OCSP文件可以通过.
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/74009118
复制相关文章
相似问题
腾讯云开发者
