How to enable OCSP on Nginx.please

I use acme.sh to apply Letsencrypt SSL certificate.

Recently, we found that the CNAME domain of Letsencrypt’s OCSP domain(ocsp.int-x3.letsencrypt.org) was DNS polluted in China, which caused the https website is very slowly on IOS devices .(Android is not affected yet)

So, I plained to enable OCSP stapling to resolve this issue . I’ve tried everything but still failed.

below is my tries:

First,I added two DNS record in internal DNS server:

23.192.45.96 ocsp.int-x3.letsencrypt.org
23.192.45.96 a771.dscq.akamai.net

plain A:

add below config in Server config of Nginx virtual host config file

server {
......
ssl_stapling on;
ssl_stapling_verify on;
resolver 172.16.20.30; # internal DNS server
listen 443 ssl http2; 
    ssl_certificate /data/letsencrypt/meta.bi.doweidu.com/fullchain.cer; 
    ssl_certificate_key /data/letsencrypt/meta.bi.doweidu.com/meta.bi.doweidu.com.key; 
    include /data/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /data/letsencrypt/ssl-dhparams.pem; # managed by Certbot
......
}

after restart nginx docker container . I checked the OCSP ,but it wasn’t enabled

openssl s_client -connect meta.bi.doweidu.com:443 -status -tlsextdebug < /dev/null 2>&1 | grep -i "OCSP response"
OCSP response: no response sent

plain B:

get OCSP response

  openssl ocsp -no_nonce \
                 -respout /root/.acme.sh/meta.bi.doweidu.com/ocsp_res.der \
                 -issuer /root/.acme.sh/meta.bi.doweidu.com/ca.cer \
                 -cert /root/.acme.sh/meta.bi.doweidu.com/meta.bi.doweidu.com.cer \
                 -url http://ocsp.int-x3.letsencrypt.org/ \
                 -header "HOST" "ocsp.int-x3.letsencrypt.org"

But I got some errors:

Response Verify Failure
139961608943504:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92:
/root/.acme.sh/meta.bi.doweidu.com/meta.bi.doweidu.com.cer: good
	This Update: Jun 28 06:00:00 2020 GMT
	Next Update: Jul  5 06:00:00 2020 GMT

nginx version : 1.17

Could any tell me how to enable OCSP or resolve this issue ? please

1 Like

Your nginx error log should show something if OCSP stapling is not working. Look there.

You might need to provide ssl_trusted_certificate if using ssl_stapling_verify. Varies by OS.

1 Like

forget to say ,I also try to enable SSL_trusted_certificate.

1.generate root and middle certificate

// 下载根证书和中间证书
wget -O root.pem https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem
wget -O intermediate.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
// 生成 OCSP Stapling 验证文件注意,中间证书在上、根证书在下
cat intermediate.pem > chained.pem
cat root.pem >> chained.pem

2.reconfig nginx

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/certs/chained.pem;

but still didn’t work

1 Like

And what does nginx’s error log say?

1 Like

Nothing … both nginx’s error log and virtual server’s error log have nothing in error log

1 Like

在申请证书时 加上 --ocsp 选项

acme.sh --issue xxxxx .....    --ocsp
1 Like