Howto: OCSP Stapling for NGINX


#1

Hi guys,

I’m trying to get OCSP Stapling enabled. Read tons of guides, but can’t achieve the required result through:
openssl s_client -connect luckstock.com:443 -tls1 -tlsextdebug -status

  1. Do I have my domain to be whitelisted with LetsEncrypt for stapling to work?

  2. Is my config for NGINX correct?
    `server {
    listen 443 ssl http2;
    server_name luckstock.com;

    ssl_certificate /etc/letsencrypt/live/luckstock.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/luckstock.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;

    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 180m;

    ssl_stapling on;
    ssl_stapling_verify on;
    `


#2

I mean, I can’t get the desired result from command line with openssl:
$ openssl s_client -connect luckstock.com:443 -tls1 -tlsextdebug -status
It always return “no response …” while the test ssllabs and digicert returns OCSP stapling: Yes.

Not sure if it’s working correctly, but I had to add to nginx server conf:
resolver 8.8.8.8 8.8.4.4 valid=86400s;
resolver_timeout 5s;
To get it showing Yes for OCSP stapling.

Could anyone check if my configuration is Ok?


#3

ssl_trusted_certificate /path/to/letsencrypt/ca-certificate.pem
you only have to add this directive for ocsp to work


#4

As far, as I read the community forums, there is no need to add this line as fullchain.pem already includes ca-certificate.pem part.
Thanks for the response anyway!


#5

AFAIK ssl_trusted_certificate is needed in order to verify OCSP responses, independent of ssl_certificate:


#6

You need fullchain.pem for trust chain of the browser, while ssl_trusted_certificate is mandatory for OCSP. Add it and check if OCSP is working, you may not get immediate response, so you have to nginx “prime” it first, but it should be working for all subsequent requests


#7

@pfg and @lulu are correct: You need to set the ssl_trusted_certificate to chain.pem for OCSP stapling to work. Also bear in mind that Nginx lazy-loads OCSP responses. So the first request will not have a stapled response, but subsequent requests will.

I’ve got some example configs in https://github.com/jsha/ocsp-stapling-examples, but they are essentially the same as yours.


Observation and Question about "--must-staple" and nginx's "ssl_trusted_certificate" r.h.s. value
#8

Thanks guys, adding the following helped to achieve the result:
ssl_trusted_certificate /etc/letsencrypt/domain/live/chain.pem


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.