我正在尝试在 Nginx 中启用 OCSP Stapling。然而,当我测试我的 SSL 证书时,我遇到了一些问题。
有什么想法可以解决“OCSP 响应:未发送响应”和“验证错误:num=20:无法获取本地发行者证书”问题吗?
我隐藏了一些信息,因为我不确定发布哪些信息才是“安全的”。
localhost# openssl s_client -connect www.example.com:443 -tls1 -tlsextdebug -status -CApath /etc/ssl/cert/RapidSSL_CA_bundle.pem
OCSP response: no response sent
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=3-XXXXXXX/XXXXXXX/SYLel9-A/OU=XXXXXXXX/OU=See www.rapidssl.com/resources/cps (c)14/OU=Domain Control Validated - RapidSSL(R)/CN=www.example.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
...
...
Verify return code: 20 (unable to get local issuer certificate)
编辑:Nginx 配置
# SSL Directives
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/cert/RapidSSL_CA_bundle.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
ssl_prefer_server_ciphers On;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;