I use my own wildcard certificate for the domain. But I see an error in the nginx log, for example:
[error] 354112#354112: OCSP_basic_verify() failed (SSL: error:13800065:OCSP routines::certificate verify error:Verify error: self-signed certificate in certificate chain) while requesting certificate status, responder: ocsp.globalsign.com, peer: 151.101.130.133:80, certificate: "/home/user/conf/web/mydomain/ssl/mydomain.pem"
I opened this file and checked it - there is only one wildcard certificate + 2 root certificates at the end. At the same time, some services really do not work, because they detect a self-signed certificate in the chain.
I do not see any error in the browser either (chrome).
I checked from another machine with openssl s_client -showcerts -connect mydomain.com:443 and it’s look good - every part of chain answer OK
Without knowing the actual domain, it is hard to guess what’s going on. Perhaps you are using the wrong intermediate certificate, or you added more CA certificates than necessary…
Show the output of this command (replace example.com by the actual domain):
openssl s_client -connect example.com:443 -servername example.com 1>/dev/null <<<:
Thank you for your answer
This is the log in nginx error.log for each user domain. As an example 1 of the domains
2025/01/22 12:50:26 [error] 647551#647551: OCSP_basic_verify() failed (SSL: error:13800065:OCSP routines::certificate verify error:Verify error: self-signed certificate in certificate chain) while requesting certificate status, responder: ocsp.globalsign.com, peer: 151.101.194.133:80, certificate: "/home/shaffer/conf/web/dezarsenal.ru/ssl/dezarsenal.ru.pem"
And answer for this domain on
openssl s_client -connect dezarsenal.ru:443 -servername dezarsenal.ru 1>/dev/null <<<:
depth=2 OU = GlobalSign Root CA - R6, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R6 AlphaSSL CA 2023
verify return:1
depth=0 CN = www.dezarsenal.ru
verify return:1
DONE
Earlier I wrote that some services do not work because of the presence of a self-signed certificate in the chain. But now this problem does not exist. I apologize for misleading you - earlier with similar behavior the service had a different response when requesting openssl, but this entry in the nginx log file still confuses me.
I don’t see any obvious issues, everything seems to be working fine on my end. The only thing to note is that you mentioned the certificate was a wildcard certificate, but the one you are using is not a wildcard certificate.
Try to check OCSP validation:
cd /home/shaffer/conf/web/dezarsenal.ru/ssl/
openssl ocsp -issuer dezarsenal.ru.ca -cert dezarsenal.ru.pem -text -url http://ocsp.globalsign.com
Additionally, the error message in the log could simply be caused by a single issue, such as a problem validating the certificate, a network issue, or an error with GlobalSign.
If you notice this happening repeatedly, you could always disable ssl_stapling. In that case, browsers will rely on OCSP or CRLs to validate the certificate.
Although you’re not using it, as an example, Let’s Encrypt will discontinue the use of OCSP for their certificates on May 7th, 2025, and will instead rely on CRLs. Your certificate supports both methods (OCSP and CRL).