How to enable OCSP stapling when default server is self-signed?

bughunter nginx-forum at nginx.us
Wed Apr 8 06:30:12 UTC 2015


Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Tue, Apr 07, 2015 at 12:26:23AM -0400, bughunter wrote:
> 
> [...]
> 
> > > > So how do I enable OCSP stapling for my vhosts when the default
> > > server cert
> > > > is self-signed?  This seems like a potential bug in the nginx
> SSL
> > > module.
> > > 
> > > Just enable ssl_stapling in appropriate server{} blocks.
> > 
> > As far as I can tell, I'm already doing that:
> > 
> > http://pastebin.com/Ymb5hxDP
> 
> The configuration you are testing with seems to be 
> overcomplicated.  Nevertheless, it should work assuming correct 
> certificates are supplied and OCSP responder works fine.  What 
> makes you think that it doesn't work?

Running the 'openssl s_client' command only returns "OCSP response: no
response sent" as evidenced here (I've replaced the actual domain with
"mydomain.org" in the command):

# openssl s_client -servername mydomain.org -connect mydomain.org:443 -tls1
-tlsextdebug -status
CONNECTED(00000003)
TLS server extension "server name" (id=0), len=0
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
OCSP response: no response sent
...

Also, the Qualys SSL labs test indicates OCSP support in the certificate but
no OCSP stapling for the server.

        ssl_certificate       
/var/www/mydomain.org/mydomain.org.chain.pem;

That contains the signed certificate, intermediate CA cert, and root CA cert
(in that order).  PEM format.

        ssl_certificate_key    /var/www/mydomain.org/mydomain.org.key.pem;

That contains the private key.  PEM format.

        ssl_trusted_certificate    /var/www/root.certs.pem;

That contains the intermediate CA cert and root CA cert (in that order). 
PEM format.


And the OCSP responder itself is working fine because Firefox is working
fine (for the moment) and I can also ping the OCSP responder and access the
OCSP responder directly using the URL in the certificate from the server
that nginx sits on.  The CA's OCSP responder went down for a few hours a
couple of days ago, which caused my browser (Firefox) to freak out and deny
access to my own website.  At that point I went about figuring out setting
up OCSP stapling to prevent the issue from reoccurring in the future.  The
certificate has the v3 OCSP extension in it and it points at a valid
location.  There aren't any errors in the nginx logs about attempts to
retrieve OCSP responses and failing.  There are no errors, warnings, or
notices during startup of nginx.  I've reloaded and restarted nginx many
times, rebooted the whole system one time, and run the "openssl s_client"
command a bunch of times after each "long-shot" configuration adjustment
(and reverted shortly after back to the config you saw in the pastebin).

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,257906#msg-257906



More information about the nginx mailing list