id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1863 """ssl_stapling"" ignored, host not found in OCSP responder ""ocsp.int-x3.letsencrypt.org"" in the certificate" actionmystique@… "Nginx relevant config: {{{ resolver 127.0.0.1:53; ssl_stapling on; ssl_stapling_verify on; ssl_certificate domain.com.chained.crt; ssl_certificate_key domain.com_rsakey.pem; ssl_trusted_certificate letsencrypt_root_intermediate_bundle.pem; }}} domain.com.chained.crt is a bundle containing: - the domain wildcard certificate - letsencryptauthorityx3.pem - no anchor root certificate letsencrypt_root_intermediate_bundle.pem is a bundle containing: - isrgrootx1.pem root certificate - letsencryptauthorityx3.pem Testing the domain at https://www.ssllabs.com/ssltest reports: - an overall rating of A+ - a certificate issued by Let's Encrypt Authority X3/AIA: http://cert.int-x3.letsencrypt.org/ - Revocation information OCSP: http://ocsp.int-x3.letsencrypt.org - Revocation status as Good (not revoked) - Trusted yes - no chain issue with the provided certificate of Let's Encrypt Authority X3 issued by ISRG Root X1 No issue either when accessing ocsp.int-x3.letsencrypt.org: {{{ # dig ocsp.int-x3.letsencrypt.org ; <<>> DiG 9.15.4 <<>> ocsp.int-x3.letsencrypt.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57953 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e26b5bf4a0c64fbc010000005d98883e0f932385bcae9d08 (good) ;; QUESTION SECTION: ;ocsp.int-x3.letsencrypt.org. IN A ;; ANSWER SECTION: ocsp.int-x3.letsencrypt.org. 599 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. ocsp.int-x3.letsencrypt.org.edgesuite.net. 599 IN CNAME a771.dscq.akamai.net. a771.dscq.akamai.net. 599 IN A 88.221.113.64 a771.dscq.akamai.net. 599 IN A 88.221.113.51 a771.dscq.akamai.net. 599 IN A 88.221.113.11 ;; Query time: 99 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 05 14:10:38 CEST 2019 ;; MSG SIZE rcvd: 221 # ping ocsp.int-x3.letsencrypt.org.edgesuite.net PING a771.dscq.akamai.net (88.221.113.89) 56(84) bytes of data. 64 bytes from a88-221-113-89.deploy.static.akamaitechnologies.com (88.221.113.89): icmp_seq=1 ttl=58 time=5.80 ms }}} Yet, restarting nginx leads to: nginx: [warn] ""ssl_stapling"" ignored, host not found in OCSP responder ""ocsp.int-x3.letsencrypt.org"" in the certificate ""domain.com.chained.crt"" Is this a nginx or a configuration issue?" defect closed minor other 1.17.x invalid ssl_stapling ocsp Linux 5.3.0-17-generic #18-Ubuntu SMP Fri Oct 4 03:04:18 UTC 2019 x86_64 GNU/Linux "# nginx -V nginx version: nginx/1.17.4 (x86_64-pc-linux-gnu) built by gcc 9.2.1 20190909 (Ubuntu 9.2.1-8ubuntu1) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --build=x86_64-pc-linux-gnu --prefix=/usr/local/share/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx.pid --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --group=www-data --user=www-data --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module --with-stream_ssl_preread_module --with-threads "