6

Is there a way to make Nginx proactively OCSP staple certificates each time its configuration is reloaded or it is re-started? Alternatively, can Nginx be set to save the stapled certificates across reloads or restarts instead of discarding them? Reloading or restarting Nginx appears to clear all cached OCSP stapled certificates.

I have OSCP stapling tested and working on an Ubuntu 16.04.1 server running Nginx 1.11.4 and using Certbot's OCSP Must-Staple TLS feature extension. My problem is that upon reload or restart of Nginx, the stapled response is not saved and the first visitor sees an error page instead (this is the expected outcome for "must staple" certs not yet stapled by the server).

I have to visit each website hosted by the server and reload them a couple times while Nginx automagically OCSP staples the certificates, then everything starts working again until the next restart. I'd like to automate this step or avoid it altogether.

Tom Brossman
  • 301
  • 3
  • 12
  • Don't you use the OCSP directives in your nginx config? I don't understand what this certbot thing is for. – Rob Sep 30 '16 at 12:32
  • @Rob certbot is used for automatically obtaining certificates from Let's Encrypt. It isn't involved in OCSP stapling. – Scott Helme Sep 30 '16 at 12:54
  • @ScottHelme I understand that as I use it myself but he says he uses certbot for ocsp. – Rob Sep 30 '16 at 13:33
  • @Rob Certbot is used to produce the specific OCSP "must staple" certificate type, however the actual OCSP directives are specified in the usual way using Nginx. My error occurs with this specific certificate type, which Certbot offers as an option. – Tom Brossman Sep 30 '16 at 14:28

1 Answers1

4

That article explains one way to do it: https://matthiasadler.info/blog/ocsp-stapling-on-nginx-with-comodo-ssl/

The idea is to manually fetch de OCSP response and use the ssl_stapling_file directive.

https://unmitigatedrisk.com/?p=241 explains it in details:

URL=$(openssl x509 -in $SERVER_CER -text | grep “OCSP – URI:” | cut -d: -f2,3)

openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer \ $ISSUER_CER -cert $SERVER_CER -url $URL

Where “ocsp.resp” is whatever file you have configured in Nginx for the “ssl_stapling_file“.

Tom
  • 511
  • 3
  • 15
  • Didn’t work for me. My cert is from Let’s Encrypt; server returns 400 Bad Request. I also tried the cert at https://www.openssl.org. – Franklin Yu Jun 15 '19 at 03:12