OCSP stapling for nginx (dual certificates)

wordlesswind · March 18, 2020, 6:27am

My domain is: interesting.ac.cn

My web server is (include version): nginx 1.17.9

The operating system my web server runs on is (include version): Aliyun Linux 2.1903 built on CentOS’s architecture and infrastructure

My hosting provider, if applicable, is: Alibaba Cloud

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Hello guys, I didn’t find the answer to this question, so I came to help.

My nginx conf:

    listen       443 ssl http2 fastopen=3 reuseport;
    server_name  interesting.ac.cn www.interesting.ac.cn blog.interesting.ac.cn;

    ssl_certificate            /path/to/ecc_full.pem;
    ssl_certificate_key        /path/to/ecc.key;

    ssl_certificate            /path/to/rsa_full.pem;
    ssl_certificate_key        /path/to/rsa.key;

    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_trusted_certificate    /path/to/ecc_full.pem;
    resolver                   100.100.2.136 100.100.2.136 223.5.5.5 223.6.6.6;

    …

Now I have two questions:

Do I still need ssl_trusted_certificate?
If so, how do I deal with the issue of dual certificates (double ssl_trusted_certificate give errors)

Thanks!

Osiris · March 18, 2020, 6:36am

For now it’s simple: all Let’s Encrypt certificates, either RSA or ECDSA, are signed by the same (RSA) intermediate certificate. Also, if you’re using the fullchain.pem file (if you’re using certbot as ACME client), which also contains the intermediate certificate, according to the nginx manual you don’t even need ssl_trusted_certificates.

wordlesswind · March 18, 2020, 7:42am

OH! Thank you so much!!!
I was too stupid to forget that ssl_trusted_certificate is determined by the intermediate certificate.

stevenzhu · March 18, 2020, 8:00am

For future references (if OCSP is still a thing)
ssl_trusted_certificate is the CA certificate plus the intermediate certificate, not your fullchain.pem file (which is the leaf certificate + intermediate certificate)
In most Nginx releases, Nginx should be able to detect the root certificate for your intermediate (if the root certificate is in your CA trust store), which just means: you don’t need to specify this.
For dual stack certificates, especially certificates with different root CAs, don’t specify this value. Dual stack was supported in a later release and currently there’s no way (and no need) to specify two root certificate in the same file, if you have an up to date CA store.

9peppe · March 18, 2020, 8:24am

are you sure about this?

usually

is plenty enough.

wordlesswind · March 18, 2020, 5:22pm

OK, Thank you for your help!

wordlesswind · March 18, 2020, 5:38pm

You can see that in the nginx manual.

This is a Note by EliaCereda@serverfault.com:

If verification is disabled the server simply forwards to the client the OCSP response it received from the CA, without performing any validation.

Considering the network environment in Mainland China, I think it is necessary for me to enable it. But I also operate my website as an experimental project, which requires some research.

9peppe · March 18, 2020, 6:18pm

Uhm, what are possible consequences of a missing or messed up stapled response?

wordlesswind · March 18, 2020, 8:11pm

I have no idea about this … just if I can do better, then I will do it.

9peppe · March 18, 2020, 8:14pm

you can also use hsts preloading, ocsp-must-staple, http-public-key-pinning (deprecated).

but it’s dangerous stuff that can make your website unreachable. always check your threat model before going full-on everything.

wordlesswind · March 18, 2020, 9:34pm

OK, Thank you for all about this.

system · April 17, 2020, 9:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.