Welcome! Log In Create A New Profile

Advanced

Re: How to enable OCSP stapling when default server is self-signed?

April 08, 2015 02:30AM
Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
>
> On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote:
>
> [...]
>
> > > > So how do I enable OCSP stapling for my vhosts when the default
> > > server cert
> > > > is self-signed? This seems like a potential bug in the nginx
> SSL
> > > module.
> > >
> > > Just enable ssl_stapling in appropriate server{} blocks.
> >
> > As far as I can tell, I'm already doing that:
> >
> > http://pastebin.com/Ymb5hxDP
>
> The configuration you are testing with seems to be
> overcomplicated. Nevertheless, it should work assuming correct
> certificates are supplied and OCSP responder works fine. What
> makes you think that it doesn't work?

Running the 'openssl s_client' command only returns "OCSP response: no response sent" as evidenced here (I've replaced the actual domain with "mydomain.org" in the command):

# openssl s_client -servername mydomain.org -connect mydomain.org:443 -tls1 -tlsextdebug -status
CONNECTED(00000003)
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02 ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01 .
OCSP response: no response sent
...

Also, the Qualys SSL labs test indicates OCSP support in the certificate but no OCSP stapling for the server.

ssl_certificate /var/www/mydomain.org/mydomain.org.chain.pem;

That contains the signed certificate, intermediate CA cert, and root CA cert (in that order). PEM format.

ssl_certificate_key /var/www/mydomain.org/mydomain.org.key.pem;

That contains the private key. PEM format.

ssl_trusted_certificate /var/www/root.certs.pem;

That contains the intermediate CA cert and root CA cert (in that order). PEM format.


And the OCSP responder itself is working fine because Firefox is working fine (for the moment) and I can also ping the OCSP responder and access the OCSP responder directly using the URL in the certificate from the server that nginx sits on. The CA's OCSP responder went down for a few hours a couple of days ago, which caused my browser (Firefox) to freak out and deny access to my own website. At that point I went about figuring out setting up OCSP stapling to prevent the issue from reoccurring in the future. The certificate has the v3 OCSP extension in it and it points at a valid location. There aren't any errors in the nginx logs about attempts to retrieve OCSP responses and failing. There are no errors, warnings, or notices during startup of nginx. I've reloaded and restarted nginx many times, rebooted the whole system one time, and run the "openssl s_client" command a bunch of times after each "long-shot" configuration adjustment (and reverted shortly after back to the config you saw in the pastebin).
Subject Author Posted

How to enable OCSP stapling when default server is self-signed?

bughunter April 05, 2015 11:26PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 06, 2015 03:22PM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 07, 2015 12:26AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 07, 2015 09:24AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter April 08, 2015 02:30AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 08, 2015 11:30AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 01, 2015 11:06PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 11:54AM

Re: How to enable OCSP stapling when default server is self-signed?

bughunter May 11, 2015 10:31AM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 07, 2015 01:12PM

Re: How to enable OCSP stapling when default server is self-signed?

173279834462 May 07, 2015 02:28PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin May 08, 2015 08:48AM

Re: How to enable OCSP stapling when default server is self-signed?

numroo April 12, 2015 12:21PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin April 13, 2015 07:58AM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 28, 2016 12:44PM

Re: How to enable OCSP stapling when default server is self-signed?

Maxim Dounin September 28, 2016 05:16PM

Re: How to enable OCSP stapling when default server is self-signed?

hotwirez September 29, 2016 09:17AM

Re: How to enable OCSP stapling when default server is self-signed?

B.R. September 29, 2016 01:02PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 97
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready