id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
556	OCSP stapling not working with comodo PositiveSSL	Frederik Schwan		"When using OCSP stapling 

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_stapling on;
ssl_stapling_verify off;
ssl_trusted_certificate /etc/ssl/private/chain.comodo.pem;
ssl_dhparam /etc/nginx/dh_2048.pem;

I get the following log entry:

Mai 04 19:12:35 heimdall nginx[4573]: 2014/05/04 19:12:35 [error] 4576#0: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com

So I decided to do some trial and error with openssl. The only way the certificate has been proved correct is to use the ""-VAfile"" option. Using CA, CAfile does not work. Seems to me that the way comodo signs its OCSP answer is not very usual. They don't ship the signing certificate with the answer and don't mark the cert as a OCSP signing certificate. Lastly they even don't use their CA Cert, but an intermediate certificate (the issuer) to sign.

Since the ""-VAfile"" option works I suggest to let nginx invoke openssl with this option.

RootCA and intermediates attached as well as a OCSP answer generated with openssl (OpenSSL 1.0.1g 7 Apr 2014).

"	defect	closed	major		nginx-module	1.5.x	wontfix	OCSP SSL		Linux heimdall 3.14.2-1-ARCH #1 SMP PREEMPT Sun Apr 27 11:28:44 CEST 2014 x86_64 GNU/Linux	"nginx version: nginx/1.6.0
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-imap --with-imap_ssl_module --with-ipv6 --with-pcre-jit --with-file-aio --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_realip_module --with-http_spdy_module --with-http_ssl_module --with-http_stub_status_module --with-http_addition_module --with-http_degradation_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_sub_module
"