I have set up nginx with SSL and letsencrypt certificates. However I am unable to get OCSP stappling to work.
From what I found in the web, it should work with the following configuration, unfortunately it does not. My nginx vhost looks like this:
server {
...
# SSL Certificates
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
# Allow Nginx to send OCSP results during the connection process
ssl_stapling on;
ssl_stapling_verify on;
resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
...
}
When I scan my domain with https://www.ssllabs.com it reports:
OCSP stapling No
What am I missing in my configuration?
Best Answer
I don't see anything wrong with your setup, but maybe removing the redundant
resolverdirective will yield a different result.I've also faced a similar situation, and I've even tested OCSP stapling using
opensslbased on this article:No output means OCSP stapling is not yet working.
From what I observe, if I restart/reload Nginx and then immediately test using SSL Labs, it fails. I would then test with the above command a few times until it works, and then re-test on SSL Labs. I recommend you give it a shot, and if it fails the first time, give it a few minutes and try again. It works for me.