Get the most out of your Centmin Mod LEMP stack
Become a Member

SSL OCSP_basic_verify() failed

Discussion in 'System Administration' started by Sunka, Sep 28, 2018.

  1. Sunka

    Sunka Well-Known Member

    1,140
    312
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +508
    Local Time:
    10:49 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Month ago I buy new https certificate from commodo.
    Everything went OK, I updated with help of this tutorial from @deltahf
    Certificate installed, all seems OK.

    2018-09-27_23h32_58.png


    But something is wrong. My log is full of this:

    Code:
    tail -10 /usr/local/nginx/logs/error.log
    2018/09/27 22:55:28 [error] 7745#7745: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com, peer: 2.17.122.210:80, certificate: "/usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt"
    My pijanitvor.com.ssl.conf (relevant part)
    Code:
    server {
      listen 443 ssl http2;
      server_name pijanitvor.com www.pijanitvor.com;
    
      ##  redirect https non-www to https www
          if ($host = 'pijanitvor.com' ) {
             return 301 https://www.pijanitvor.com$request_uri;
          }
     
      ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
      ssl_prefer_server_ciphers   on;
      #######################add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #######################spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      #enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt; 
    What can I do?
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,444
    10,148
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,704
    Local Time:
    6:49 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    suggests concatenation of files that make up /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt is incorrect

    should be the provided comodo ssl cert + ca-bundle combined
    Code (Text):
    cd /usr/local/nginx/conf/ssl/pijanitvor.com
    cat www_domain_com.crt www_domain.com.ca-bundle > ssl-unified.crt
    

    where ssl-unified.crt would be /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt and www_domain_com.crt and www_domain.com.ca-bundle would be located at /usr/local/nginx/conf/ssl/pijanitvor.com

    also are you using openssl or boringssl with Nginx ? boringssl doesn't support OCSP stapling only OpenSSL does
     
  3. Sunka

    Sunka Well-Known Member

    1,140
    312
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +508
    Local Time:
    10:49 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Seems now it is OK.
    I am not using boring SSL
    I download new www_domain.com.ca-bundle (it is same as old), and did concatenation again, but not:
    cat www_domain_com.crt www_domain.com.ca-bundle > ssl-unified.crt

    because my ca-bundle file is:
    www_domain_com.ca-bundle
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,444
    10,148
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,704
    Local Time:
    6:49 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    somethings you want to use the updated ca-bundle instead
     
  5. Sunka

    Sunka Well-Known Member

    1,140
    312
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +508
    Local Time:
    10:49 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    What do you mean?
    Somethings = sometimes?
     
  6. eva2000

    eva2000 Administrator Staff Member

    44,444
    10,148
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,704
    Local Time:
    6:49 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    sometimes :oops::)