id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
2648	Nginx will disable ocsp stapling over all domains even if one is bogus	bahat.gil@…		"Hi,

I have configured nginx for SNI-based vhosting for several known subdomains. the default certificate is not meant to be used, so it is set with a bogus, snakeoil certificate.


when starting nginx, it will complain about the snakeoil certificate being incompatible with OCSP stapling and then proceed to disable OCSP stapling for all domains, including ones with valid certificates.

Jun 09 13:38:11 dev-redacted-gil nginx[1124]: nginx: [warn] ""ssl_stapling"" ignored, issuer certificate not found for certificate ""/etc/ssl/certs/ssl-cert-snakeoil.pem""

expected behaviour: disabling OCSP stapling should be done only for the invalid certificate


steps to reproduce:

1. create an nginx configuration with sni vhosting.
2. add a default_server snakeoil SSL configuration
3. add a valid vhost with valid TLS certificates
4. turn on OCSP stapling"	defect	new	major		documentation	1.25.x			bahat.gil@…	Linux dev-redacted-gil 6.8.0-1007-azure #7-Ubuntu SMP Sat Apr 20 00:06:31 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.26.1
built by gcc 13.2.0 (Ubuntu 13.2.0-23ubuntu4)
built with OpenSSL 3.0.13 30 Jan 2024
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-http_v3_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/data/builder/debuild/nginx-1.26.1/debian/debuild-base/nginx-1.26.1=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/data/builder/debuild/nginx-1.26.1/debian/debuild-base/nginx-1.26.1=/usr/src/nginx-1.26.1-2~noble -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'"