I’m trying to get OCSP Stapling enabled. Read tons of guides, but can’t achieve the required result through:
openssl s_client -connect luckstock.com:443 -tls1 -tlsextdebug -status
Do I have my domain to be whitelisted with LetsEncrypt for stapling to work?
Is my config for NGINX correct?
`server {
listen 443 ssl http2;
server_name luckstock.com;
I mean, I can’t get the desired result from command line with openssl:
$ openssl s_client -connect luckstock.com:443 -tls1 -tlsextdebug -status
It always return “no response …” while the test ssllabs and digicert returns OCSP stapling: Yes.
Not sure if it’s working correctly, but I had to add to nginx server conf:
resolver 8.8.8.8 8.8.4.4 valid=86400s;
resolver_timeout 5s;
To get it showing Yes for OCSP stapling.
As far, as I read the community forums, there is no need to add this line as fullchain.pem already includes ca-certificate.pem part.
Thanks for the response anyway!
You need fullchain.pem for trust chain of the browser, while ssl_trusted_certificate is mandatory for OCSP. Add it and check if OCSP is working, you may not get immediate response, so you have to nginx "prime" it first, but it should be working for all subsequent requests
@pfg and @lulu are correct: You need to set the ssl_trusted_certificate to chain.pem for OCSP stapling to work. Also bear in mind that Nginx lazy-loads OCSP responses. So the first request will not have a stapled response, but subsequent requests will.