NGINX OCSP not responding

Saturn2888 · January 8, 2016, 3:50am

Ubuntu 14.04 (3.13.0-24-generic)
NOTE: When using NGINX 1.4.6 or 1.8.0 with this config, I am able to get an A+ on SSL Labs, but OCSP is not responding.

Is this a Let’s Encrypt problem or something else entirely?

server {
    listen 80;
    listen 443 ssl http2;

    server_name dev.mysite.com;

    keepalive_timeout 70;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/dev.mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.mysite.com/privkey.pem;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AESGCM:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:!aNULL:!MD5';
    ssl_prefer_server_ciphers on;

    # resolver 127.0.0.1 valid=300s;
    # resolver 8.8.8.8 8.8.4.4 valid=1s;
    # resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    access_log /var/log/nginx/dev.mysite.com.access.log;
    error_log /var/log/nginx/dev.mysite.com.error.log;

    location / {
        proxy_pass http://127.0.0.1:37453/;
    }
}

prusswan · January 8, 2016, 5:45am

Not a LE issue, but nginx behavior. You may need to manually verify that oscp stapling is working as intended. For automation purposes, this was raised as an issue (more like enhancement) in LE

More info:

https://trac.nginx.org/nginx/ticket/812

Saturn2888 · January 9, 2016, 3:24am

Huh, so it looks like I have to prefetch the OCSP responses so when a client asks NGINX, it’s there and ready to go? Sounds like a great thing to implement in LE natively .

I’ll spend some time on it. Thanks for the article! It never came up in my searches.

Fsantiago1979 · January 9, 2016, 4:47am

I use nginx and ocsp works fine. The one difference I see in our configs is I include:

ssl_trusted_certificate /etc/letsencrypt/live/Example.com/chain.pem;

Fsantiago1979 · January 9, 2016, 4:53am

important thing here is the usage of ssl_trusted_certificate. The nginx documentation states that:

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
You have to include the root certificate (and intermediate certificates) for OCSP stapling to work, which is why ssl_trusted_certificate will be set to a special certificate file that includes those. If your ssl_certificate already does, you might be able to skip using ssl_trusted_certificate.

Topic		Replies	Views
OCSP responder timed out Help	1	2260	June 23, 2019
Ssl_stapling error nginx Server	2	5733	April 1, 2018
Let'sEncrypt + nginx on a IPv6 only server = OCSP responder timed out Server	3	4619	September 24, 2017
Howto: OCSP Stapling for NGINX Server	8	38479	May 3, 2016
OCSP failed (111: Connection refused) while requesting certificate status Help	4	2255	November 2, 2019

NGINX OCSP not responding

Related topics