Nginx OCSP stapling centos let’s encrypt

nginxocsp

On centos, but I guess for every OS, I want to make ocsp stapling work in Nginx

ssl_stapling on;
ssl_trusted_certificate  ??????; 
ssl_stapling_verify on;

what do I define for ssl_trusted_certificate?
People talk about "chain+root file" or root.ca, but it's very unclear to me if these files are already on my server or where to find/create them.

I have a valid certificate from Let's Encrypt and SSL/TLS (https) is working fine already. But how do I go from here?

Best Answer

For anyone wondering...

ssl_stapling on;
ssl_trusted_certificate  /etc/letsencrypt/live/DOMAIN/chain.pem;
#ssl_stapling_verify on;

note the hash, by having no verify it actually works:

on the command line: openssl s_client -connect DOMAIN:443 -tls1 -tlsextdebug -status |grep OCSP -A 2 -B 1

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

Related Solutions

Nginx – OCSP validation – unable to get local issuer certificate

Those two errors was unrelated although the error message was same.

[...]SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 [...] Start Time: 1411583991 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate)

Above error was issued openssl_client command. As explained by Florian Heigl, you get this error because the openssl_client need the Globalsign Root cert in /etc/ssl/certs.

OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: gv.symcd.com

For this error, it was issued by nginx ocsp routine, especially when you add ssl_stapling_verify on; line in nginx.conf.

Here some excerpt from the documentation of ssl_stapling_verify to explain why it throws the error

Syntax: ssl_stapling_verify on | off;

Enables or disables verification of OCSP responses by the server.

For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive.

In other words, you need provide (2) Intermediate CA Bundle (RapidSSL SHA256 CA - G3) and (3) Intermediate CA Bundle (GeoTrust Global CA) to ssl_trusted_certificate directive.

cat GeoTrustGlobalCA.crt rapidsslG3.crt > ocsp-chain.crt

and add ocsp-chain.crt to ssl_trusted_certificate directive.

Linux – How to enable OCSP Stapling via http proxy

You can try this: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file

When set, the stapled OCSP response will be taken from the specified file instead of querying the OCSP responder specified in the server certificate.

The file should be in the DER format as produced by the “openssl ocsp” command.

Best Answer

Related Solutions

Nginx – OCSP validation – unable to get local issuer certificate

Linux – How to enable OCSP Stapling via http proxy

Related Topic