The Error Message
You’ve likely seen this warning while testing your Nginx configuration or restarting the service. It usually looks like this in your terminal:
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/ssl/certs/example.com.crt"
Your website will still load over HTTPS, and Nginx will start without failing. However, OCSP Stapling—a feature that speeds up SSL handshakes—is now disabled. Without it, every visitor's browser must contact the Certificate Authority (CA) to check if your certificate is revoked. This extra step can add 200ms to 500ms of latency to your initial page load.
Root Cause
OCSP (Online Certificate Status Protocol) Stapling allows your server to prove its certificate is valid without the browser doing the heavy lifting. To perform this check, Nginx needs to see the full path from your domain certificate to the Root CA.
The warning triggers because your ssl_certificate file only contains your domain's public certificate. It is missing the Intermediate Certificate. This intermediate file acts as the bridge between your site and the trusted Root CA. Without it, Nginx cannot verify the "issuer" and simply gives up on stapling.
How to Fix It
You have two ways to resolve this. The first method is the industry standard and works best for most setups.
Method 1: Create a Full Chain Certificate (Recommended)
Merge your domain certificate and the intermediate certificate into one file. Order matters here. Your domain certificate must appear first, followed by the intermediate certificate.
- Find your certificate files. Usually, you will have
your_domain.crtand abundle.crt(orintermediate.crt). - Combine them with the
catcommand:
cat your_domain.crt intermediate.crt > your_domain_fullchain.crt
If your CA provided multiple intermediate files (e.g., intermediate1.crt and intermediate2.crt), stack them in order: Domain -> Intermediate 1 -> Intermediate 2.
- Update your Nginx site configuration (often in
/etc/nginx/sites-available/):
server {
listen 443 ssl;
server_name example.com;
# Point to your new combined file
ssl_certificate /etc/ssl/certs/your_domain_fullchain.crt;
ssl_certificate_key /etc/ssl/private/your_domain.key;
ssl_stapling on;
ssl_stapling_verify on;
}
Method 2: Use the ssl_trusted_certificate Directive
If you prefer keeping your files separate, use this directive to tell Nginx exactly where the issuer's certificate lives. This is common in environments where certificates are managed by automated scripts that separate the leaf and the chain.
- Keep
ssl_certificatepointing to your domain cert only. - Add the
ssl_trusted_certificatedirective pointing to your CA bundle:
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/certs/example.com.crt;
ssl_certificate_key /etc/ssl/private/example.com.key;
# Explicitly define the issuer for OCSP
ssl_trusted_certificate /etc/ssl/certs/intermediate_bundle.crt;
ssl_stapling on;
ssl_stapling_verify on;
# Use Google or Cloudflare DNS for OCSP lookups
resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;
}
Verification
Always check your work before reloading. Run the Nginx syntax test:
sudo nginx -t
If the warning is gone, you'll see a success message. Now, reload Nginx to apply the changes:
sudo systemctl reload nginx
To confirm OCSP stapling is active, use this OpenSSL command:
openssl s_client -connect example.com:443 -status -servername example.com | grep -A 17 "OCSP response:"
Search the output for OCSP Response Status: successful (0x0). If that appears, your server is successfully stapling the revocation status.
Prevention
- Switch to Fullchain: If you use Let's Encrypt with Certbot, stop using
cert.pem. Always usefullchain.pemin your Nginx config. - Examine Provider Zips: When downloading certs from Namecheap or DigiCert, look for the "bundle" or "chain" file. Don't ignore it.
- Automate Correctly: If you use Ansible or Terraform, ensure your deployment scripts automatically concatenate the domain cert and the CA bundle into a single file.