Nginx – make Nginx automatically OCSP staple certificates at reload/restart


Is there a way to make Nginx proactively OCSP staple certificates each time its configuration is reloaded or it is re-started? Alternatively, can Nginx be set to save the stapled certificates across reloads or restarts instead of discarding them? Reloading or restarting Nginx appears to clear all cached OCSP stapled certificates.

I have OSCP stapling tested and working on an Ubuntu 16.04.1 server running Nginx 1.11.4 and using Certbot's OCSP Must-Staple TLS feature extension. My problem is that upon reload or restart of Nginx, the stapled response is not saved and the first visitor sees an error page instead (this is the expected outcome for "must staple" certs not yet stapled by the server).

I have to visit each website hosted by the server and reload them a couple times while Nginx automagically OCSP staples the certificates, then everything starts working again until the next restart. I'd like to automate this step or avoid it altogether.

Best Answer

That article explains one way to do it:

The idea is to manually fetch de OCSP response and use the ssl_stapling_file directive. explains it in details:

URL=$(openssl x509 -in $SERVER_CER -text | grep “OCSP – URI:” | cut -d: -f2,3)

openssl ocsp -noverify -no_nonce -respout ocsp.resp -issuer \ $ISSUER_CER -cert $SERVER_CER -url $URL

Where “ocsp.resp” is whatever file you have configured in Nginx for the “ssl_stapling_file“.