这是我第一次在nginx中使用docker中的certbot
- nginx版本:1.23.1
- nginx构建: Docker (macbre/nginx-http 3)
- OpenSSL 1.1.1(兼容; BoringSSL)(与BoringSSL一起运行)
nginx在特灵使用ocsp稳定时抛出此错误
nginx: [warn] "ssl_stapling" ignored, not supportedcert似乎支持ocsp
openssl x509 -in cert.pem -noout -ocsp_uri
# http://r3.o.lencr.org
nginx ssl配置
# =============================================================================
# default Certificates
ssl_certificate /certs/dir/cert.pem;
ssl_certificate_key /certs/dir/key.pem;
# =============================================================================
ssl_dhparam /certs/dir/dhparam.pem;
# =============================================================================
# # OCSP staplingenter code here
ssl_stapling on;
ssl_stapling_verify on;
# # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /certs/dir/chain.pem;
# # replace with the IP address of your resolver
resolver 1.1.1.1 8.8.8.8 8.8.4.4 valid=1200s;
resolver_timeout 3s;
# =============================================================================
# TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
# =============================================================================
# 0-RTT QUIC connection resumption
ssl_early_data on;
# =============================================================================
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4
# Optimize session cache
# ssl_session_timeout 1d;
ssl_session_timeout 4h;
# about 40000 sessions
ssl_session_cache shared:MozSSL:10m;
# Enable session tickets
ssl_session_tickets off;那些于事无补:
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
- Nginx "ssl_stapling" ignored, host not found in OCSP responder "ocsp.comodoca.com"
- https://www.openssl.org/docs/man1.1.1/man1/ocsp.html
- https://www.nginx.com/resources/wiki/start/topics/tutorials/installoptions及更多类似内容
- nginx proxy doesn't cache OCSP responses
- Nginx OCSP_basic_verify:signer certificate not found
和以下列表中许多:https://stackoverflow.com/search?q=nginx+ocsp
以前有没有人遇到过这个问题?
或者谁能告诉我如何克服这一点吗?
我想用nginx设置ocsp
1条答案
按热度按时间vs91vp4v1#
OpenSSL 1.1.1(兼容; BoringSSL)(与BoringSSL一起运行)
基于this discussion,当使用BoringSSL时,看起来OCSP装订不被完全支持。虽然有一个补丁添加了对OCSP装订到nginx的支持,但它需要以文件的形式提供OCSP响应,它不能从nginx中的OCSP响应器自动检索它。
由于使用BoringSSL而不是OpenSSL,一些指令可能不起作用,例如ssl_conf_command。此外,通过ssl_stapling on直接OCSP装订; ssl_装订_验证打开;也不起作用。您应该使用ssl_stapling on; ssl_装订_文件/路径/目标/ocsp;。OCSP文件可以通过以下方式生成...