NGINX shows warning: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate

Symptoms

• NGINX cannot start with the timeout error:

  # service nginx status
  ● nginx.service - Startup script for nginx service
  Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
  Drop-In: /usr/lib/systemd/system/nginx.service.d
  └─limit_nofile.conf
  Active: failed (Result: timeout) since Wed 2020-05-06 08:53:06 EEST; 16min ago
  May 06 08:53:06 wh01.n8solutions.host systemd[1]: Failed to start Startup script for nginx service.

• NGINX syntax shows the following warning:

  # nginx -t
  nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/usr/local/psa/var/certificates/scfU5oE9u"
  nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
  nginx: configuration file /etc/nginx/nginx.conf test is successful

• The certificate file from the warning is assigned to example.com domain

  # grep -iR scfU5oE9u /var/www/vhosts/system/*/conf/*.conf 
  /var/www/vhosts/system/example.com/conf/httpd.conf: SSLCertificateFile /usr/local/psa/var/certificates/scfU5oE9u

• In Domains > example.com > SSL/TLS certificates support OCSP is enabled;
• Outbound collections cannot be established from the server:

  # nmap google.com -p443
  Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-06 10:24 EEST
  Failed to resolve "google.com".
  WARNING: No targets were specified, so 0 hosts scanned.
  Nmap done: 0 IP addresses (0 hosts up) scanned in 56.09 seconds

Cause

Outbound connection are not available due to this OCSP cannot connect to the external source to check certificate validity. 

Resolution

1. Log into Plesk;
2. Go to Domains > example.com > SSL/TLS Certificates;
3. Disable the OCSP Stapling option:

   

4. Re-enable it back.