OCSP staling in NGINX via Plesk. How to?


#1

Hi,

I’ve the Let’s Encrypt plugin installed in Plesk 12.5. Made the cert installing via this plugin.
Everything is set up as described in different sources, also from information available on this forum, but the OCSP stapling is doubt that working correct or not.

When I test the installed cert via Qualys SSL Labs, then I get A+ rating and saying that OCSP Stapling: YES

When I test on my server with openssl command, then I get this response: OCSP response: no response sent

So, is it working now, or not?

Qualys SSL labs also inform me, that Chain issues Incorrect order, Extra certs
What is the right order in Plesk to add the cert files? I’m using the following in Plesk at the “Additional nginx directives”:

ssl_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/fullchain.pem;
ssl_certificate_key /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/privkey.pem;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /usr/local/psa/var/modules/letsencrypt/etc/live/mydomain.com/fullchain.pem;

Regards,
Gabe


#2

In nginx (and to be fair, in other popular servers too) the stapling support is a bit, well I’d call it half-arsed.

When nginx first spins up a web server process, it doesn’t have the stapled OCSP response to hand, so by default it just doesn’t provide it. This can result in some tools saying there’s no OCSP stapling, because when they tried, there wasn’t. If you want you could try, ignore the result, wait a few minutes, then try again and see if it’s better?

Anyway, probably if SSL Labs says it’s working, it’s working as well as can be in nginx for now. Hopefully as stapling gets more popular we’ll see nginx getting a bit better at this.

Now, the chain issues are more surprising. The fullchain.pem prepared by Let’s Encrypt is usually perfectly good and wouldn’t attract a complaint from Qualys’ tools. The SSL Labs page does give a bit more info but I appreciate it can be hard to interpret, maybe you could paste the part where it lists certificates it saw ? If you worry particularly you could blur out your own site’s name anywhere that appears although please do remember certificates are public documents, they’re not secrets, and it’s not as though asking for advice about security is a shameful thing to be doing.


#3

Hello @gaborh,

How are you testing it?, because your conf seems ok to me (except the use of ssl_trusted_certificate).

If you are using something like this…

echo | openssl s_client -connect yourdomain.tld:443 -status

…and your domain is not the default, it is normal to get those OCSP response: no response sent

Instead, try to add parameter -servername and try again:

echo | openssl s_client -connect yourdomain.tld:443 -servername yourdomain.tld -status

Seems ok to me but you should remove ssl_trusted_certificate directive just because your server doesn’t need it, you already have it specified in ssl_certificate directive where you are adding the fullchain.pem.

From nginx doc

For the OCSP stapling to work, the certificate of the server certificate issuer should be known. If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.

As I said, as you are already using fullchain.pem which contains the intermediate cert, there is no need to use ssl_trusted_certificate for OCSP stapling.

Cheers,
sahsanu


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.