OCSP_check_validity() status expired

addis_a · December 24, 2014, 12:48pm

I am seeing a lot of these errors in my /var/log/nginx/error.log

[error] 11405#0: OCSP_check_validity() failed (SSL: error:2707307D:OCSP
routines:OCSP_check_validity:status expired) while requesting
certificate
status, responder: ocsp2.globalsign.com

How can i fix that

Posted at Nginx Forum:

khav · December 24, 2014, 2:06pm

hi khav,

try adding the following lines to your nginx website configuration file:

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/my_ssl_certs/ca-bundle.pem;

note the PEM encoded X509 ca-bundle file should contain the ssl

certificate

chain bundle (i.e. domain and intermediate CA certs)

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

wbr,

ionsec

Posted at Nginx Forum:

khav · December 26, 2014, 3:57pm

@ionsec

These lines are already in my config but i add the “valid=300s” to the
resolver line

@Maxim how can i fix it

Posted at Nginx Forum:

khav · December 26, 2014, 4:05pm

the “date” command give the following on my server so i think the date
is ok
(correct me if i am wrong)

Fri Dec 26 14:58:27 MST 2014

In php.ini
date.timezone = “US/Mountain”

[root@sv1 ~]# cat /etc/sysconfig/clock
ZONE=“US/Mountain”

Posted at Nginx Forum:

khav · December 24, 2014, 2:06pm

Hello!

On Wed, Dec 24, 2014 at 06:48:00AM -0500, khav wrote:

I am seeing a lot of these errors in my /var/log/nginx/error.log

[error] 11405#0: OCSP_check_validity() failed (SSL: error:2707307D:OCSP
routines:OCSP_check_validity:status expired) while requesting certificate
status, responder: ocsp2.globalsign.com

How can i fix that

The OCSP response returned by your CA is too old. Most likely,
the problem is that time on your server is set incorrectly.

–
Maxim D.
http://nginx.org/

khav · December 26, 2014, 6:53pm

Hello!

On Fri, Dec 26, 2014 at 10:04:27AM -0500, khav wrote:

the “date” command give the following on my server so i think the date is ok
(correct me if i am wrong)

Fri Dec 26 14:58:27 MST 2014

In php.ini
date.timezone = “US/Mountain”

[root@sv1 ~]# cat /etc/sysconfig/clock
ZONE=“US/Mountain”

Doesn’t looks correct for me, current time is 17:20 UTC:

$ date
Fri Dec 26 17:20:30 UTC 2014

and this corresponds to 10:20 MST:

$ env TZ=“US/Mountain” date
Fri Dec 26 10:20:35 MST 2014

That is, looks like the time on your server is wrong. See your
server documentation to find out how to sync time properly.

–
Maxim D.
http://nginx.org/

khav · December 29, 2014, 6:25am

I confirm that the issue is resolved and what indeed the time.It was not
properly sync

Posted at Nginx Forum: