Plesk: Fix OCSP stapling warning for nginx

Problem

nginx: [warn] “ssl_stapling” ignored, issuer certificate not found for certificate “/usr/local/psa/var/certificates/scwqKDI92”

If you see a warning like this in your nginx logs it means that the certificate CA is not in the trust list. When you have Plesk installed the CA chains are being updated, but not included in the nginx config by default.

Solution

Open the ssl config file. Nano creates it when it does not exist.

nano /etc/nginx/conf.d/ssl.conf

Now change the config to include ssl_trusted_certificate:

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver [::1] 127.0.0.1 [2606:4700:4700::1111] 1.1.1.1;
resolver_timeout 5s;

# Trusted CA chains
ssl_trusted_certificate /etc/ssl/certs/ca-bundle.trust.crt;

(remove the local IPs if you don’t run a local DNS resolver, same goes for IPv6)

Save the file with CTRL X and hit the Y key to confirm. Then reload nginx to apply the change.

systemctl reload nginx

Make sure to manually visit the url before testing in SSL Labs and other tools. That will cause nginx to load the OCSP data into the server cache. Otherwise those tests fail on the stapling checks.

Related stuff

Leave a Comment

Your email address will not be published. Required fields are marked *