I think I’ve got ocsp stapling setup correctly with Nginx (1.9.0). I am
seeing valid OCSP responses however if I keep querying the same server I
also frequently see “No response”. The OCSP responses are valid for
seven
days. Is each worker doing its own OCSP query independently of the
others?
Or is there something else happening?
Hello,
Nginx uses a per worker OCSP cache.
Ok, that explains it then. Does the cache survive reloads? Or does it
need
to requery?
On Wed, Jun 29, 2016 at 1:23 AM, Kurt C. [email protected]
nginx workers are recreated on reload (read
Controlling nginx), nothing can thus
remains from past cache at this level.
B. R.
On Wed, Jun 29, 2016 at 6:26 PM, itpp2012 [email protected]
CJ Ess Wrote:
Ok, that explains it then. Does the cache survive reloads? Or does it
need
to requery?
See also Issue with OCSP stapling when server certificate has been revoked by CA
"When Nginx starts for the first time, and there’s no cached OCSP
response,
the first client to try an OCSP will fail; I understand that this is by
design, and I’ve overcome it by simply ‘warming’ the cached manually by
using OpenSSL’s s_client… "
Posted at Nginx Forum: