Hello! On Thu, May 07, 2015 at 02:28:12PM -0400, 173279834462 wrote:
[...] > It turns out that the problem is "security.ssl.enable_ocsp_stapling", which > is > "true" by default. If I disable it, then FF loads the web sites. If I > re-enable it, > then FF complains again: > > > Secure Connection Failed > > An error occurred during a connection to madreacqua.org. > > Invalid OCSP signing certificate in OCSP response. > > (Error code: sec_error_ocsp_invalid_signing_cert) > > > > The page you are trying to view cannot be shown because the authenticity > > of the received data could not be verified. > > Please contact the website owners to inform them of this problem. > > If FF is correct, then nginx is returning a bad certificate, and we are back > to square one. The "Invalid OCSP signing certificate in OCSP response" likely means that an OCSP response returned by nginx is signed by an invalid certificate, at least that's what written. Unless you've forced nginx to return something invalid using the ssl_stapling_file directive, it is probably due to a behaviour of your CA. Ask your CA for more information. Trivial workaround on nginx side is to switch off ssl_stapling. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
