Nginx letsencrypt OCSP stappling

Question

I have set up nginx with SSL and letsencrypt certificates. However I am unable to get OCSP stappling to work.

From what I found in the web, it should work with the following configuration, unfortunately it does not. My nginx vhost looks like this:

server {

    ...

    # SSL Certificates
    ssl_certificate         /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;

    # Allow Nginx to send OCSP results during the connection process
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    ...
}

When I scan my domain with https://www.ssllabs.com it reports:

OCSP stapling   No

What am I missing in my configuration?

Is your server blocked from making connections to the OCSP server to port 80? — Richard Smith, Apr 05 '16 at 18:08
No, I can download stuff via `wget` from http and https from within my server — lockdoc, Apr 06 '16 at 08:34
the `valid=300s` parameter on the resolver configuration is an often copy-pasted, but much less often needed option. nginx >= 1.1.9 will do what the CAs TTL says, and thats most likely a reasonable choice. — anx, Aug 25 '17 at 23:45

rad · Answer 1 · 2016-04-10T10:25:03.507

2

I don't see anything wrong with your setup, but maybe removing the redundant resolver directive will yield a different result.

I've also faced a similar situation, and I've even tested OCSP stapling using openssl based on this article:

echo QUIT | openssl s_client -connect www.yourdomain.com:443 -servername www.yourdomain.com -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

No output means OCSP stapling is not yet working.

From what I observe, if I restart/reload Nginx and then immediately test using SSL Labs, it fails. I would then test with the above command a few times until it works, and then re-test on SSL Labs. I recommend you give it a shot, and if it fails the first time, give it a few minutes and try again. It works for me.

edited Apr 10 '16 at 10:25

answered Apr 07 '16 at 18:05

rad

381
1
3
7

1

Thanks for the info, I will try. Also to note, you will need to add `-servername www.yourdomain.com` for SNI based hosts – lockdoc Apr 08 '16 at 08:59
Ah, I didn't know that about SNI. Thanks for the info! – rad Apr 08 '16 at 09:02

score 2 · Answer 2 · answered Aug 25 '17 at 23:33

nginx is fetching the OCSP response after the first time a request using the respective certificate was made.

This behaviour is probably going to be changed in order to fully support OCSP Must Staple

Until that happens, a reliable test for stapling is to connect multiple times, allowing to nginx some time to fetch the signed response in between.

for i in 3 0; do openssl s_client -connect example.com:443 -servername example.com -status </dev/null 2>&1 | grep -A 13 OCSP; sleep $i; done

OCSP responders do fail - a lot. If they are slow, nginx will give up after an (unconfigurable, afaik 60sec) timeout and note so in error log. If you want to know right away, try:

openssl x509 -noout -text -in example.crt | grep "OCSP - URI" | cut -d: -f2,3 | grep -io "^http://[-.a-z0-9]*$" | xargs curl -D-

Nginx letsencrypt OCSP stappling

2 Answers2