» »

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

HotBurek ::

Dobro jutro.

Evo, fantje in dekline, nov dan, nov izziv.

Sistem je preprost: nginx in Let's Encrypt/certbot.

Danes sem videl, da je ukaz nginx -t začel vračat warn:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL
in the certificate "/etc/letsencrypt/live/domain_name/fullchain.pem"

Kolikor sem pogledal certifikat, je bil včeraj "obnovlje". Pismo, bo tejle uri ne vem več, kako se pravilno reče. Renew...ed?

V archive folderju vidim, da se je spremenila velikost za fajla cert* in fullchain*:

-rw-r--r-- 1 root root 1330 Mar 23 11:59 cert1.pem
-rw-r--r-- 1 root root 1285 May 22 17:05 cert2.pem
-rw-r--r-- 1 root root 1566 Mar 23 11:59 chain1.pem
-rw-r--r-- 1 root root 1566 May 22 17:05 chain2.pem
-rw-r--r-- 1 root root 2896 Mar 23 11:59 fullchain1.pem
-rw-r--r-- 1 root root 2851 May 22 17:05 fullchain2.pem
-rw------- 1 root root  241 Mar 23 11:59 privkey1.pem
-rw------- 1 root root  241 May 22 17:05 privkey2.pem

In ta warn prej (dva dni nazaj) ni bil prisoten.

Kolikor piše spletna dokumentacija, je pravilno, da za nginx config:

ssl_certificate pointa na fullchain.pem
ssl_certificate_key pointa na privkey.pem
ssl_trusted_certificate pointa na chain.pem

Tako imam nastavljeno že kakšno leto ali tri, štiri.

Howto: OCSP Stapling for NGINX

How to set `ssl_trusted_certificate` in nginx configuration file?

Sedaj sem primerjal, kakšna je razlima med fullchain 1 in 2.

Prvi (fullchain1.pem) ima intermediate certifikat poimenovan E5, drugi (fullchain2.pem) pa ima intermediate certifikat poinemnovan E6. Skratka gre za dva različna intermediate certifikate. To samo po sebi še ne pomeni nič.


Certifikate sta na seznamu (med drugim) tule:

https://letsencrypt.org/certificates/

................................................

In zadnjo uro sem se v uber zaplezal... prvo zbrisal fullchain.pem... potem čisto pozabil kako se naredi symlink, zbrisal še archive... potem je certbot začel generirat domain-0001, domain-0002 folderje...:

-0001 cert directories?

In na koncu sem naredil toliko renew-ov, da sem dosegel rate limit

acme.messages.Error: urn:ietf:params:acme:error:rateLimited ::
There were too many requests of a given type :: too many certificates (5) already issued
for this exact set of domains in the last 168h0m0s, retry after 2025-05-24 00:43:09 UTC:
see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames

Zgleda bo treba kasneje tole nadaljevat, ker če ne bo prišlo do kakih resnih poškodb. :))
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window
  • spremenilo: HotBurek ()

HotBurek ::

UPDATE 1

Kljub opozorilom sem nadaljeval z delom in povozil fullchain1.pem.

Sedaj imam seldeč error:

nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/letsencrypt/live/domain_name/rivkey.pem")
failed (SSL: error:05800074:x509 certificate routines::key values mismatch)

Renewal configuration file /etc/letsencrypt/renewal/domain_name.conf produced an unexpected error:
fullchain does not match cert + chain for domain_name!. Skipping.


Ful dobr.
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window

Zgodovina sprememb…

  • spremenilo: HotBurek ()

HotBurek ::

Evo, sem našel za katero sceno gre.

Ending OCSP Support in 2025

Tale odstavek pove vse:

We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.

Ok. Se pravi, da bo treba nginx conf spremenit in OCSP vržt ven. Na Qualys SSL Labs bo score posledično nekoliko nižji.

Mogoče je za pogledat Firefox, če se da to zadevo na off na client strani...
root@debian:/# iptraf-ng
fatal: This program requires a screen size of at least 80 columns by 24 lines
Please resize your window

Zgodovina sprememb…

  • spremenilo: HotBurek ()

b4d ::

Hvala za analizo, pravkar opazil da se mi isto dogaja :)
b4d.sablun.org

Vredno ogleda ...

TemaSporočilaOglediZadnje sporočilo
TemaSporočilaOglediZadnje sporočilo
»

[MariaDB] Kje se nahaja nastavitev za "innodb_file_per_table"?

Oddelek: Programiranje		6672 (601) HotBurek
»

Kreiranje self signed certifikatov

Oddelek: Informacijska varnost		162357 (1842) Mercier
»

Apache in Node.JS

Oddelek: Izdelava spletišč		92137 (1823) dunda
»

Ubuntu 9.04->10.04 = Mail ne dela več

Oddelek: Operacijski sistemi		61065 (982) Icematxyz
»

[Gentoo] Kernel upgrade (strani: 1 2 )

Oddelek: Operacijski sistemi		675445 (4971) Trubadur

Več podobnih tem