xf.is Blog   Archives  About

OCSP stapling failes in nginx on Fedora 28 with permission denied


I noticed that my nginx instance was not stapling OCSP responses. In nginx error.log I noticed:

connect() to failed (13: Permission denied) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer:, certificate: “/path/to/fullchain.pem”


ausearch -m AVC -ts today


type=AVC msg=audit(1529680797.942:639): avc: denied { name_connect } for pid=5011 comm=“nginx” dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

This is because nginx doesn’t have network connect permission by default in selinux enforcing mode. Fix it by running

setsebool httpd_can_network_connect 1 -P

and OCSP stapling should work.