×


How to fix ssl_stapling ignored ssl error

Nginx Web server sometimes trigger an ssl_stapling ignored Certificate error when trying to restart it. This error occurs as a result of an issue with the Certificate.

Here at Ibmi Media, as part of our Server Support Services, we help customers fix SSL related issues.

In this context, we will look into the cost of this error and how to to get rid of it.

What triggers ssl_stapling ignored Certificate issue?

When checking the status of the Nginx syntax with the command (nginx -t), this error occurs and you will see an error message as shown below;



nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/usr/local/psa/var/certificates/hhdgd87hh”
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok


Different factors triggers this error such as;

i. When the crt file is not properly bundled with the CA.
ii. In situations where the Certificate Authority is not available for the SSL Certificate.
iii. The validity of the Certificate cannot be verified by the OCSP due to absent of an outbound connection.

How to fix ssl_stapling ignored Certificate issue?

To fix this error, let us consider different scenarios;

1. In Plesk control panel, you need to enable OCSP Stapling feature.
To do this, follow the instruction below;

i. To begin, Log into your Plesk Panel.
ii. Next Click on the Domain tab followed by the domain name according to your situation. From the domain, you have to choose SSL/TLS Certificates.
iii. Now disable the OCSP Stapling option.
iv. Finally, do re-enable the OCSP option again.

2. Configuring the OCSP stapling.

The issued Certificate must be verifiable for OCSP Stapling to work.
Ensure that the OCSP responder hostname resolves by adding the resolver directive into the vhost configuration as shown below;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/secrets/trusted;
#where /etc/secrets/trusted is the CA.
resolver <IP DNS resolver>;


Now the ssl_trusted_certificate should be pointing to the root certificate  and not the self signed certificate.

3. Merge the crt files into a bundle.

Follow the steps below;

i. Start with combining the crt files into a bundle just like;

cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt


ii. Next, store the bundle in a specified location where Nginx can reference to it as seen below;

mkdir -p /etc/nginx/ssl/domain_com/
mv ssl-bundle.crt /etc/nginx/ssl/domain_com/


iii. Ensure that the location of the private key is accessible by Nginx as well;

mv domain_com.key /etc/nginx/ssl/domain_com/



iv. Now point the location of your certificate files in the Nginx configuration file as seen below;

server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/domain_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/domain_com/example_com.key;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# …
}


v. Finally, restart Nginx to effect changes.

Need support in fixing SSL errors? We are available.


Conclusion

ssl_stapling ignored Certificate error occurs when there are problems in the Certificate files experienced while trying to restart Nginx web server.