Using “certbot-auto” I issued a new certificate specifying the “–must staple” flag.
sudo /etc/certbot-auto/certbot-auto certonly --authenticator webroot --installer nginx --must-staple --staple-ocsp -d …
As part of the process the following nginx directive r.h.s.'s in the nginx configuration files were automatically updated:
ssl_certificate /etc/letsencrypt/live/go-oio.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/go-oio.com/privkey.pem; # managed by Certbot
However the following nginx r.h.s.'s value was not updated:
ssl_trusted certificate (old r.h.s. from a non-letsencrypt certificate)
Nevertheless, even with the (old r.h.s. from a non-letsencrypt certificate) value,
the website still functioned.
This letsencrypt comment by jsha recommends setting the r.h.s. value of “ssl_trusted certificate” to the same value as the r.h.s. value of ssl_certificate. I followed that jsha recommendation and of it course it still worked.
Then I removed the “ssl_trusted certificate” entirely:
# ssl_trusted certificate … (commented out)
sudo service nginx restart
and performed the qualys ssl test from a browser:
Even without the “ssl_trusted certificate” directive, the results showed
that both “OCSP must staple” and “OCSP stapling” were enabled, and the score was still A+.
This result doesn’t surprise me, because jsha’s comment mentions that
“Also bear in mind that Nginx lazy-loads OCSP responses. So the first request will not have a stapled response, but subsequent requests will.”
which I interpret as meaning that on restart (or reload) nginx queries for an up-to-date OCSP response, and caches that value in memory, at least for some period of time. And all that is required to make a normal OCSP query is the certificate chain given as the r.h.s. value of “ssl_certificate”. So it would seem the value of “ssl_trusted_certificate” is redundant.
My questions are:
- is the directive “ssl_trusted certificate” now deprecated?
- are there some cases (perhaps for other CA’s than letsencrypt) where “ssl_trusted certificate” is still necessary?
- was there a historical reason for the directive “ssl_trusted certificate”, such as holding a text cache of the actual “OCSP response”, which is now no longer used?
- assuming nginx caches the OCSP response in memory, is there a nginx directive specifying the max time until a new response is obtained to refresh the cache?
nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g 1 Mar 2016