B.R.:

> I want to have details about the status nginx' validation of the initial
> OCSP query it did to the OCSP responder of the CA, especially when it goes
> wrong.

we do not let nginx fetch the ocsp data itself but use ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.

OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file
in nginx.conf

# all intermediate and root certificates exept the certificate itself
CA_CHAIN='/tmp/ca_chain.pem'
cat intermediate.pem root.pem > $CA_CHAIN

DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one certificate
CERT='cert.pem' # for this certificate we need the OCSP
response...

OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -
URI:' | cut -d: -f2,3`

openssl ocsp -no_nonce \
-respout ${OCSP_RESPONSE}.tmp \
-CAfile ${CA_CHAIN} \
-issuer ${DIRECT_ISSUER} \
-cert ${CERT} \
-url ${OCSP_URI}
${EXTRA_ARGS}

if [ $? -eq 0 ]; then
# handle error
fi

# success
mv ${OCSP_RESPONSE}.tmp ${OCSP_RESPONSE}
killall -HUP nginx

EXTRA_ARGS handle some special tweaks
- Startcom: https://forum.startcom.org/viewtopic.php?f=15&t=2661
EXTRA_ARGS='-header HOST ocsp.startssl.com'

- Let's Entrypt:
https://community.letsencrypt.org/t/unable-to-verify-ocsp-response/7264/3
EXTRA_ARGS='-header HOST ocsp.int-x1.letsencrypt.org -verify_other
${DIRECT_ISSUER}'

you may want to adjust to your needs.

Andreas

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx