OCSP stapling for nginx (dual certificates)

My domain is: interesting.ac.cn

My web server is (include version): nginx 1.17.9

The operating system my web server runs on is (include version): Aliyun Linux 2.1903 built on CentOS’s architecture and infrastructure

My hosting provider, if applicable, is: Alibaba Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Hello guys, I didn’t find the answer to this question, so I came to help.

My nginx conf:

    listen       443 ssl http2 fastopen=3 reuseport;
    server_name  interesting.ac.cn www.interesting.ac.cn blog.interesting.ac.cn;

    ssl_certificate            /path/to/ecc_full.pem;
    ssl_certificate_key        /path/to/ecc.key;

    ssl_certificate            /path/to/rsa_full.pem;
    ssl_certificate_key        /path/to/rsa.key;

    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_trusted_certificate    /path/to/ecc_full.pem;
    resolver                   100.100.2.136 100.100.2.136 223.5.5.5 223.6.6.6;

    …

Now I have two questions:

  • Do I still need ssl_trusted_certificate?
  • If so, how do I deal with the issue of dual certificates (double ssl_trusted_certificate give errors)

Thanks!

1 Like

For now it’s simple: all Let’s Encrypt certificates, either RSA or ECDSA, are signed by the same (RSA) intermediate certificate. Also, if you’re using the fullchain.pem file (if you’re using certbot as ACME client), which also contains the intermediate certificate, according to the nginx manual you don’t even need ssl_trusted_certificates.

2 Likes

OH! Thank you so much!!!
I was too stupid to forget that ssl_trusted_certificate is determined by the intermediate certificate.

1 Like

For future references (if OCSP is still a thing)
ssl_trusted_certificate is the CA certificate plus the intermediate certificate, not your fullchain.pem file (which is the leaf certificate + intermediate certificate)
In most Nginx releases, Nginx should be able to detect the root certificate for your intermediate (if the root certificate is in your CA trust store), which just means: you don’t need to specify this.
For dual stack certificates, especially certificates with different root CAs, don’t specify this value. Dual stack was supported in a later release and currently there’s no way (and no need) to specify two root certificate in the same file, if you have an up to date CA store.

1 Like

are you sure about this?

usually

is plenty enough.

2 Likes

OK, Thank you for your help!

1 Like

You can see that in the nginx manual.

This is a Note by EliaCereda@serverfault.com:

If verification is disabled the server simply forwards to the client the OCSP response it received from the CA, without performing any validation.

Considering the network environment in Mainland China, I think it is necessary for me to enable it. But I also operate my website as an experimental project, which requires some research.

3 Likes

Uhm, what are possible consequences of a missing or messed up stapled response?

1 Like

I have no idea about this … just if I can do better, then I will do it. :slight_smile:

you can also use hsts preloading, ocsp-must-staple, http-public-key-pinning (deprecated).

but it’s dangerous stuff that can make your website unreachable. always check your threat model before going full-on everything.

OK, Thank you for all about this.