You come across the error ‘ssl_stapling ignored, issuer certificate not found for certificate’ while restarting the Nginx server.
Here at Bobcares, we have seen several such SSL related issues as part of our Server Management Services for web hosts and online service providers.
Today we’ll take a look at the cause for this error and how to fix it.
What causes this ssl_stapling ignored error to occur
Here are the different causes for this error to occur in Nginx.
- The OCSP is not able to connect to the external source to check certificate validity. It is because the outbound connection are not available.
- Certificate Authority is not present for the SSL certificate.
- Not properly bundling the crt file with the CA.
For instance, here is an Nginx syntax that shows the ssl_stapling warning message.
# nginx -t
nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/usr/local/psa/var/certificates/scfU5oE9u”
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
How we fix the error ‘ssl_stapling ignored, issuer certificate not found for certificate’
Now let’s look into the solution part of this error message.
1. Enabling OCSP Stapling via Plesk
- First, log in to the Plesk panel
- Access the Domains section >> example.com >> choose SSL/TLS Certificates
- Now disable the OCSP Stapling option
- After that, re-enable it back.
2. Making OCSP stapling work
The certificate of the server certificate issuer should be known so that the OCSP Stapling works.
In case, if the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.
The resolver directive should also be specified so that the OCSP responder hostname resolves.
Add the below code into vhost configuration:
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/secrets/trusted;
#where /etc/secrets/trusted is the CA.
resolver <IP DNS resolver>;
The ssl_trusted_certificate option should point to the root certificate and all intermediate certificates of the CA, not your signed certificate.
3. Combining the crt files into a bundle
- Combine the above crt files into a bundle (the order matters, here):
cat www_example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt - Then Store the bundle in the location where Nginx wants to find it:
mkdir -p /etc/nginx/ssl/example_com/
mv ssl-bundle.crt /etc/nginx/ssl/example_com/ - Make sure that the private key is placed somewhere that it is readable by Nginx as well:
mv example_com.key /etc/nginx/ssl/example_com/ - Also, make sure that the Nginx config points to the appropriate cert file and to the private key you generated earlier:
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/example_com/ssl-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/example_com/example_com.key;
# side note: only use TLS since SSLv2 and SSLv3 have had recent vulnerabilities
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# …
} - Finally, restart Nginx.
[Need any assistance in fixing SSL errors? – We’ll help you]
Conclusion
In short, this error occurs while restarting the Nginx server. Today, we saw the solution to this error.
0 Comments