OCSP_basic_verify() failed

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OCSP_basic_verify() failed

vedranf
I tried nginx 1.3.10 with ocsp stapling... but I get this error:

2013/01/09 09:14:52 [error] 27663#0: OCSP_basic_verify() failed (SSL:
error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
error:Verify error:unable to get local issuer certificate) while requesting
certificate status, responder: ocsp.startssl.com

my config looks lile this

server {
    listen [::]:443 ssl spdy;

    ssl on;
    ssl_certificate      /etc/ssl/private/www.hellmi.de.pem;
    ssl_certificate_key      /etc/ssl/private/www.hellmi.de.key;

    ## OCSP Stapling
    resolver 127.0.0.1;
    ssl_stapling on;
    ssl_stapling_verify on;

    server_name  www.hellmi.de;

   ...
}

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,234832,234832#msg-234832

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP_basic_verify() failed

Maxim Dounin
Hello!

On Wed, Jan 09, 2013 at 04:27:12AM -0500, philipp wrote:

> I tried nginx 1.3.10 with ocsp stapling... but I get this error:
>
> 2013/01/09 09:14:52 [error] 27663#0: OCSP_basic_verify() failed (SSL:
> error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
> error:Verify error:unable to get local issuer certificate) while requesting
> certificate status, responder: ocsp.startssl.com
>
> my config looks lile this
>
> server {
>     listen [::]:443 ssl spdy;
>
>     ssl on;
>     ssl_certificate      /etc/ssl/private/www.hellmi.de.pem;
>     ssl_certificate_key      /etc/ssl/private/www.hellmi.de.key;
>
>     ## OCSP Stapling
>     resolver 127.0.0.1;
>     ssl_stapling on;
>     ssl_stapling_verify on;
>
>     server_name  www.hellmi.de;
>
>    ...
> }

http://nginx.org/r/ssl_stapling_verify

Quote:

For verification to work, the certificate of the issuer of the
server certificate, the root certificate, and all intermediate
certificates should be configured as trusted using the
ssl_trusted_certificate directive.


--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP_basic_verify() failed

vedranf
I have created a trust file both ways:

cat www.hellmi.de.pem >  www.hellmi.de.trust
cat subca.pem >> www.hellmi.de.trust
cat ca.pem >> www.hellmi.de.trust

or

cat subca.pem > www.hellmi.de.trust
cat ca.pem >> www.hellmi.de.trust

and configured it as ssl_trusted_certificate, this did not help either. How
do I create a trusted certificate for a StartCom CA?

This chain looks like this:

StartCom Certification Authority (ca.pem)
StartCom Class 1 Primary Intermediate Server CA (subca.pem)
www.hellmi.de (www.hellmi.de.pem)

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,234832,234836#msg-234836

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP_basic_verify() failed

Maxim Dounin
Hello!

On Wed, Jan 09, 2013 at 05:02:11AM -0500, philipp wrote:

> I have created a trust file both ways:
>
> cat www.hellmi.de.pem >  www.hellmi.de.trust
> cat subca.pem >> www.hellmi.de.trust
> cat ca.pem >> www.hellmi.de.trust
>
> or
>
> cat subca.pem > www.hellmi.de.trust
> cat ca.pem >> www.hellmi.de.trust
>
> and configured it as ssl_trusted_certificate, this did not help either. How
> do I create a trusted certificate for a StartCom CA?
>
> This chain looks like this:
>
> StartCom Certification Authority (ca.pem)
> StartCom Class 1 Primary Intermediate Server CA (subca.pem)
> www.hellmi.de (www.hellmi.de.pem)

Something like

cat sub.class1.server.ca.pem ca.pem > trusted.pem

should be enough (files named to match ones available from
StartCom).  I've just tested with a free class 1 cert from
StartCom, and it works fine.  If you still see errors with
ssl_trusted_certificate configured - you may want to provide more
details.

--
Maxim Dounin
http://nginx.com/support.html

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: OCSP_basic_verify() failed

vedranf
Thanks for your help, I guess I found the problem... I had two vhosts with
ocsp. But only one host had a working trusted certificate.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,234832,235032#msg-235032

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx