Nginx Web server sometimes trigger an ssl_stapling ignored Certificate error when trying to restart it. This error occurs as a result of an issue with the Certificate.
Here at Ibmi Media, as part of our Server Support Services, we help customers fix SSL related issues.
In this context, we will look into the cost of this error and how to to get rid of it.
When checking the status of the Nginx syntax with the command (nginx -t), this error occurs and you will see an error message as shown below;
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/usr/local/psa/var/certificates/hhdgd87hh”
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Different factors triggers this error such as;
i. When the crt file is not properly bundled with the CA.
ii. In situations where the Certificate Authority is not available for the SSL Certificate.
iii. The validity of the Certificate cannot be verified by the OCSP due to absent of an outbound connection.
To fix this error, let us consider different scenarios;
1. In Plesk control panel, you need to enable OCSP Stapling feature.
To do this, follow the instruction below;
i. To begin, Log into your Plesk Panel.
ii. Next Click on the Domain tab followed by the domain name according to your situation. From the domain, you have to choose SSL/TLS Certificates.
iii. Now disable the OCSP Stapling option.
iv. Finally, do re-enable the OCSP option again.
The issued Certificate must be verifiable for OCSP Stapling to work.
Ensure that the OCSP responder hostname resolves by adding the resolver directive into the vhost configuration as shown below;
#where /etc/secrets/trusted is the CA.
resolver <IP DNS resolver>;
Now the ssl_trusted_certificate should be pointing to the root certificate and not the self signed certificate.
Follow the steps below;
i. Start with combining the crt files into a bundle just like;
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
ii. Next, store the bundle in a specified location where Nginx can reference to it as seen below;
mkdir -p /etc/nginx/ssl/domain_com/
mv ssl-bundle.crt /etc/nginx/ssl/domain_com/
iii. Ensure that the location of the private key is accessible by Nginx as well;
mv domain_com.key /etc/nginx/ssl/domain_com/
iv. Now point the location of your certificate files in the Nginx configuration file as seen below;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
v. Finally, restart Nginx to effect changes.
ssl_stapling ignored Certificate error occurs when there are problems in the Certificate files experienced while trying to restart Nginx web server.