> I enable "ssl_stapling" and "ssl_stapling_verify", it can work fine. But > sometime, I can find a few error messages in error.log, ".....Operation > timed out) while requesting certificate status....", it seem the OCSP server > of my SSL provider cannot be connected at that time. > > I want to know, what happy when nginx cannot request certificate status? the > user can visit website correctly? thank you so much.
1. The OCSP certificate is valid for much longer than the intervals your server renews it at, so even if you can't connect for a while it should still be valid. 2. The client will contact the certificate's OCSP server directly if you don't send the OCSP cert (or it's expired) for verification. 3. The above #2 statement assumes your SSL Cert was NOT generated with "Must Staple". If it is, then you would definitely need a valid ocsp cert copy to send to clients, otherwise they will get an error. I see several failed attempts in my error log every day, it happens... Unless you have dozens & dozens of them from the same IP, then I wouldn't worry about it. _______________________________________________ nginx mailing list email@example.com http://mailman.nginx.org/mailman/listinfo/nginx