Ocsp - how to create ssl_tampling_file

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: kalasa.org

I ran this command:
openssl ocsp -no_nonce -resp_text -url 'http://lencr.org' -header Host='lencr.org' -respout kalasa.org.ocsp -issuer isrg-root-ocsp-x1.pem -cert kalasaorg.pem

It produced this output:
Error querying OCSP responder
4580908544:error:27076072:OCSP routines:parse_http_line1:server response error:crypto/ocsp/ocsp_ht.c:260:Code=308,Reason=Permanent Redirect
My web server is (include version):
apache behind nginx neilpang/letsproxy
The operating system my web server runs on is (include version):
neilpang/letsproxy, docker on ubuntu EC2
My hosting provider, if applicable, is:
aws, Route53 for dns
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I use acme.sh

Letencrypt Certificate is working and I can access the website on chrome. Firefox display error for OCSP. I'm trying to create an ssl_tampling_file but still getting error.
What is the rign command for creating ssl_tampling_file? What is the righ url I used http://lencr.org but get error "Code=308,Reason=Permanent Redirect".
Thanks so much.

openssl x509 -in kalasaorg.pem -noout -ocsp_uri 

Try this command to print the URL.

You shouldn't hardcode the URL as it may change, but in general it'll be of the form http://INTERMEDIATE.o.lencr.org, for example it may be http://r5.o.lencr.org

Well, currently I'm getting a self-signed certificate for "localhost", so you might want to re-check that.

You're probably refering to ssl_stapling_file, an nginx configuration option. Assuming you're using this, nginx is indeed your webserver.

However, manually obtaining OCSP responses and serving them with nginx is a highly advanced configuration, which I would not recommend. nginx is perfectly capable of self-obtaining stapled OCSP responses.

You should re-check your configuration. From the outside, we currently see a self signed certificate, not a Let's Encrypt certificate. Which error message do you get on Firefox exactly?

Thanks so much @mcpherrinm . I got http://r3.o.lencr.org

Thank so much @Nummer378 . here is what I get now.
--- openssl s_client -connect kalasa.org:443|grep OCSP

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1

verify return:1

depth=1 C = US, O = Let's Encrypt, CN = R3

verify return:1

depth=0 CN = kalasa.org

verify return:1

but Firefox continue with: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

Thank you @Osiris ,
I should be fixed now. Still Firefox error: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

For what it's worth, if I connect to kalasa.org, I see a valid stapled OCSP response.

IIRC nginx does OCSP stapling as cache not mandated, first person visit when stapled reponse is expired will not get stapled response) if not they fixed that in last few years

You are correct, nginx does lazy stapling. You can manually prime the OCSP cache with scripts if this is a concern.

In general, not using must staple is more robust though. In this case the stapling specifics shouldn't matter.

A stapled OCSP response expiring shouldn't happen with nginx, because it refreshes the stapled OCSP response every hour [since nginx 1.9.2].

It is known, that nginx's OCSP handling is less than ideal (which is one of the reasons I migrated my stuff to Caddy). There's this issue filed by Jacob 8 years ago, but there's no much movement since then.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.