OCSP Stapling - Nginx Server

kazeuraki · March 29, 2017, 4:02am

Hi everyone !
Anyone have idea about OSCP Stapling on Nginx server can help me on this case?
I have applied tons of guide but it still doesnt' work
It's my OSCP line

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/kazeuraki.net/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 30s;

My VPS can connect to OSCP server of LE

telnet ocsp.int-x3.letsencrypt.org 80
Trying 184.86.250.27...
Connected to ocsp.int-x3.letsencrypt.org.

But still doesnt have OSCP response with my Nginx conf. I have run this command 2 times to make sure about OSCP

openssl s_client -connect kazeuraki.net:443 -status
CONNECTED(00000003)
OCSP response: no response sent

This is my full Nginx conf. kazeuraki.net Conf - Pastebin.com
I have 2 block 443. One block 443 to redirect https://www. to https://. Another 443 block for root web. Did i have to paste OSCP in both 443 block or just block for root web
Thank you so much in advance

mnordhoff · March 29, 2017, 4:11am

Hrm. I can see a couple issues, but i can't see why OCSP stapling isn't working. Are you sure Nginx has been reloaded since the configuration was modified? Is there anything notable in Nginx's error.log?

That lands on the default HTTPS vhost. You may want to use "openssl s_client -connect kazeuraki.net:443 -servername kazeuraki.net -status", but in this case it doesn't seem to matter either way.

Only one of those server blocks has stapling enabled. But it doesn't seem to be working on either of them, so that doesn't seem relevant either.

Nonetheless, you should probably synchronize the SSL settings in the two server blocks, or move them up to the http level.

kazeuraki · March 29, 2017, 4:36am

Yes, in my case the result still the same: OCSP response: no response sent

Oh. It's work if I put OSCP on first 443 block
Or if I move this 443 block to the end, so Nginx will read 443 block root first
OK I understand now and this is my conclusion for my case

My Nginx Conf have 3 block

Block 443 (call it's 443A) use to redirect https://www. to https

server {listen 443 ssl http2;
server_name www.kazeuraki.net;
rewrite ^(.*) https://kazeuraki.net$1 permanent;}

2.Block 80 use to redirect http and http:// to https

server {listen 80;
server_name kazeuraki.net www.kazeuraki.net;
rewrite ^(.*) https://kazeuraki.net$1 permanent; }

3.Block 443B: Contain root web

server {listen 443 ssl http2;
server_name kazeuraki.net;
root /home/kazeuraki.net/public_html;}

To make OCSP work, I need config Nginx in one of 2 way:

Block 443B in front of block 443A. Nginx will read 443B first then 443A
Put OCSP conf in both block 443B and 443A

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/kazeuraki.net/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

One more thing, do i really need resolver? I dont understand so much about it. I use Google DNS but valid and timeout mean?

kazeuraki · March 29, 2017, 4:49am

And I doesn’t understand why I put OCSP for 443 server_name domain and it doesn’t work when test on domain
And in case put OCSP for both domain and www.domain it works for both =,=

mnordhoff · March 29, 2017, 5:11am

I had no idea. I didn't think it was actually important. I'm glad you got it working!

Yes, you need resolver. It's just how Nginx works: if you want to use OCSP stapling, you need resolver.
(Probably because writing DNS software is a nightmare.)

You can remove "valid=300s" and "resolver_timeout 30s;". Setting them is useless and/or mildly harmful, in my opinion.

kazeuraki · March 29, 2017, 8:37am

Beside, u think should use GG DNS or OpenDNS
resolver 8.8.8.8 8.8.4.4
resolver 208.67.222.222 208.67.220.220
or event I see one guide with resolver 127.0.0.1

ahaw021 · March 29, 2017, 9:58am

glad you got this working

as an FYI - I always suggest users follow the mozilla guide: https://wiki.mozilla.org/Security/TLS_Configurations

could have saved some time (and may some time if you ever have to do it again)

Andrei

jsha · March 30, 2017, 12:09am

One thing that is probably making this especially hard to diagnose: Nginx lazy-loads OCSP stapling information. So, after a restart, the first TLS connection will not receive stapled OCSP. However, it will trigger a background fetch in Nginx for the OCSP response. Usually by the time of the next TLS connection, Nginx will have a response, and will staple it.

Needless to say, this makes Nginx very difficult to use with Must Staple.

kazeuraki · March 30, 2017, 2:49am

Yeah. Just to note, I have to say it's very hard to config OCSP Stapling with Nginx.
Resolver from localhost doesnt' work

resolver 127.0.0.1;

I have to use GG DNS instead of:

resolver 8.8.8.8 8.8.4.4;

Anyway, it's coming to good now. Thank all you guy Nice day ahead

system · April 29, 2017, 2:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Nginx ssl_stapling does not work Help	8	1309	August 5, 2020
Howto: OCSP Stapling for NGINX Server	8	38471	May 3, 2016
Ssl_stapling error nginx Server	2	5732	April 1, 2018
OCSP staling in NGINX via Plesk. How to? Server	3	2357	August 12, 2016
Wired issue using OCSP stapling Help	3	2757	November 8, 2016

OCSP Stapling - Nginx Server

Related topics