id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 832 OCSP_basic_verify : unable to get certificate CRL mttcr@… "Hello, I am configuring a server with OCSP stapling. I have the following error : {{{ 2015/11/12 16:35:25 [error] 10140#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get certificate CRL) while requesting certificate status, responder: gu.symcd.com }}} I have the same error while trying the following SSL command {{{ openssl verify -verbose -issuer_checks -crl_check_all -CAfile trusted.crt my.crt OU = GTxxx, OU = See www.geotrust.com/resources/cps (c)15, OU = Domain Control Validated - QuickSSL(R) Premium, CN = xxx.com error 3 at 0 depth lookup:unable to get certificate CRL }}} {{{ (from strace : stat(""/usr/lib/ssl/certs/d84ef247.r0"", 0x7fff569a0c70) = -1 ENOENT (No such file or directory) ) }}} If I manually download the CRLs (from intermediate and mine) and add them to the trusted.crt list it works. But, shoudn't nginx proceed with ocsp rather than checking with CRLs ? Why does it need the CRL ? With openssl it is sucessful : {{{ openssl ocsp -issuer intermediate.crt -cert my.crt -CAfile trusted.crt -text -url http://gu.symcd.com OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0BFE6BED5F81B8D22D7578CFB3E64ECD41AF6D93 Issuer Key Hash: 0B50EC77EF2A9BFFEC03A10AFFADC6E42A18C73E Serial Number: 0266CA Request Extensions: OCSP Nonce: 04107AB006C3D74145C9102E34EABEAA7C20 OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: E1F8C2DBEB0FB09E4C064D0A850DBE1E41BAB82E Produced At: Nov 11 08:49:40 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 0BFE6BED5F81B8D22D7578CFB3E64ECD41AF6D93 Issuer Key Hash: 0B50EC77EF2A9BFFEC03A10AFFADC6E42A18C73E Serial Number: 0266CA Cert Status: good This Update: Nov 11 08:49:40 2015 GMT Next Update: Nov 18 08:49:40 2015 GMT ... }}} Note : I also use Client Certificate Authentication. My conf contains : {{{ ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_certificate chain.crt; ssl_certificate_key my.key; ssl_verify_client on; ssl_client_certificate myCA.crt; ssl_crl myCA.crl; ssl_verify_depth 2; ssl_trusted_certificate trusted.crl }}} " defect closed minor nginx-module 1.8.x wontfix ocsp, ssl, crl Linux xxxx 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.8.0 built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 "