NGINX OCSP not responding

Saturn2888 · January 8, 2016, 3:50am

Ubuntu 14.04 (3.13.0-24-generic)
NOTE: When using NGINX 1.4.6 or 1.8.0 with this config, I am able to get an A+ on SSL Labs, but OCSP is not responding.

Is this a Let’s Encrypt problem or something else entirely?

server {
    listen 80;
    listen 443 ssl http2;

    server_name dev.mysite.com;

    keepalive_timeout 70;

    ssl on;

    ssl_certificate /etc/letsencrypt/live/dev.mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.mysite.com/privkey.pem;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ssl_stapling on;
    ssl_stapling_verify on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AESGCM:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA256:AES256-SHA256:AES256-SHA:AES128-SHA256:AES128-SHA:!aNULL:!MD5';
    ssl_prefer_server_ciphers on;

    # resolver 127.0.0.1 valid=300s;
    # resolver 8.8.8.8 8.8.4.4 valid=1s;
    # resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    access_log /var/log/nginx/dev.mysite.com.access.log;
    error_log /var/log/nginx/dev.mysite.com.error.log;

    location / {
        proxy_pass http://127.0.0.1:37453/;
    }
}

prusswan · January 8, 2016, 5:45am

Not a LE issue, but nginx behavior. You may need to manually verify that oscp stapling is working as intended. For automation purposes, this was raised as an issue (more like enhancement) in LE

More info:

https://trac.nginx.org/nginx/ticket/812

Saturn2888 · January 9, 2016, 3:24am

Huh, so it looks like I have to prefetch the OCSP responses so when a client asks NGINX, it’s there and ready to go? Sounds like a great thing to implement in LE natively .

I’ll spend some time on it. Thanks for the article! It never came up in my searches.

Fsantiago1979 · January 9, 2016, 4:47am

I use nginx and ocsp works fine. The one difference I see in our configs is I include:

ssl_trusted_certificate /etc/letsencrypt/live/Example.com/chain.pem;

Fsantiago1979 · January 9, 2016, 4:53am

important thing here is the usage of ssl_trusted_certificate. The nginx documentation states that:

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.
You have to include the root certificate (and intermediate certificates) for OCSP stapling to work, which is why ssl_trusted_certificate will be set to a special certificate file that includes those. If your ssl_certificate already does, you might be able to skip using ssl_trusted_certificate.