我的日志文件(error.log)因此错误而被发送垃圾邮件:
2016/10/08 09:50:06 [error] 1014#1014: OCSP_basic_verify() failed
(SSL: error:27069065:OCSP routines: OCSP_basic_verify:certificate verify error:
Verify error:self signed certificate in certificate chain) while requesting certificate
status, responder: ocsp2.globalsign.com
我真的找不到这个问题的解决方案,你能帮我吗?
我正在使用 Ubuntu 16.04 (NGINX + php7.0-fpm)
我的 example.conf 文件的一部分:
server {
server_name example.com;
charset UTF-8;
listen 443 ssl http2;
ssl on;
ssl_verify_client off;
ssl_certificate "/var/www/httpd-cert/example/example.crtca";
ssl_certificate_key "/var/www/httpd-cert/example/example.key";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
ssl_trusted_certificate "/var/www/httpd-cert/example/example.crt";
ssl_prefer_server_ciphers on;
ssl_session_timeout 1h;
ssl_session_cache shared:SSL:16m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!EXP:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
...
为什么我会收到此错误?我的证书不是自签名的
ssl_trusted_certificate“/var/www/httpd-cert/example/example.crt”;
此设置应包含可信任的用于发出 OCSP 响应的 CA,即通常是颁发者 CA。我的猜测是您的文件不包含必要的 CA,这就是为什么它无法按照使用
ssl_stapling_verify on有关此设置的更多信息,请参阅文档。