OCSP Stapling - Nginx Server


#1

Hi everyone !
Anyone have idea about OSCP Stapling on Nginx server can help me on this case?
I have applied tons of guide but it still doesnt’ work
It’s my OSCP line

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/kazeuraki.net/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 30s;

My VPS can connect to OSCP server of LE

telnet ocsp.int-x3.letsencrypt.org 80
Trying 184.86.250.27…
Connected to ocsp.int-x3.letsencrypt.org.

But still doesnt have OSCP response with my Nginx conf. I have run this command 2 times to make sure about OSCP

openssl s_client -connect kazeuraki.net:443 -status
CONNECTED(00000003)
OCSP response: no response sent

This is my full Nginx conf. https://pastebin.com/QqsjsCEW
I have 2 block 443. One block 443 to redirect https://www. to https://. Another 443 block for root web. Did i have to paste OSCP in both 443 block or just block for root web
Thank you so much in advance


#2

Hrm. I can see a couple issues, but i can’t see why OCSP stapling isn’t working. :confused: Are you sure Nginx has been reloaded since the configuration was modified? Is there anything notable in Nginx’s error.log?

That lands on the default HTTPS vhost. You may want to use “openssl s_client -connect kazeuraki.net:443 -servername kazeuraki.net -status”, but in this case it doesn’t seem to matter either way.

Only one of those server blocks has stapling enabled. But it doesn’t seem to be working on either of them, so that doesn’t seem relevant either.

Nonetheless, you should probably synchronize the SSL settings in the two server blocks, or move them up to the http level.


#3

Yes, in my case the result still the same: OCSP response: no response sent

Oh. It’s work if I put OSCP on first 443 block :smiley:
Or if I move this 443 block to the end, so Nginx will read 443 block root first :smiley:
OK I understand now and this is my conclusion for my case

My Nginx Conf have 3 block

  1. Block 443 (call it’s 443A) use to redirect https://www. to https

server {listen 443 ssl http2;
server_name www.kazeuraki.net;
rewrite ^(.*) https://kazeuraki.net$1 permanent;}

2.Block 80 use to redirect http and http:// to https

server {listen 80;
server_name kazeuraki.net www.kazeuraki.net;
rewrite ^(.*) https://kazeuraki.net$1 permanent; }

3.Block 443B: Contain root web

server {listen 443 ssl http2;
server_name kazeuraki.net;
root /home/kazeuraki.net/public_html;}

To make OCSP work, I need config Nginx in one of 2 way:

  • Block 443B in front of block 443A. Nginx will read 443B first then 443A

  • Put OCSP conf in both block 443B and 443A

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/kazeuraki.net/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

One more thing, do i really need resolver? I dont understand so much about it. I use Google DNS but valid and timeout mean?


#4

And I doesn’t understand why I put OCSP for 443 server_name domain and it doesn’t work when test on domain
And in case put OCSP for both domain and www.domain it works for both =,=


#5

:astonished: I had no idea. I didn’t think it was actually important. I’m glad you got it working!

Yes, you need resolver. It’s just how Nginx works: if you want to use OCSP stapling, you need resolver.
(Probably because writing DNS software is a nightmare.)

You can remove “valid=300s” and “resolver_timeout 30s;”. Setting them is useless and/or mildly harmful, in my opinion.


#6

Beside, u think should use GG DNS or OpenDNS
resolver 8.8.8.8 8.8.4.4
resolver 208.67.222.222 208.67.220.220
or event I see one guide with resolver 127.0.0.1


#7

glad you got this working

as an FYI - I always suggest users follow the mozilla guide: https://wiki.mozilla.org/Security/TLS_Configurations

could have saved some time :smiley: (and may some time if you ever have to do it again)

Andrei


#8

One thing that is probably making this especially hard to diagnose: Nginx lazy-loads OCSP stapling information. So, after a restart, the first TLS connection will not receive stapled OCSP. However, it will trigger a background fetch in Nginx for the OCSP response. Usually by the time of the next TLS connection, Nginx will have a response, and will staple it.

Needless to say, this makes Nginx very difficult to use with Must Staple.


#9

Yeah. Just to note, I have to say it’s very hard to config OCSP Stapling with Nginx.
Resolver from localhost doesnt’ work :frowning:

resolver 127.0.0.1;

I have to use GG DNS instead of:

resolver 8.8.8.8 8.8.4.4;

Anyway, it’s coming to good now. Thank all you guy :slight_smile: Nice day ahead


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.