How to enable OCSP stapling when default server is self-signed?

Thu May 7 18:28:12 UTC 2015

> This depends on how your certificate is issued. If your certificate is
issued directly by root CA certificate, then you don't need any extra certs
here. If there are some intermediate certs, then you'll have to put them
also.
> When this directive was introduced, almost all certificates were issued
directly by roots. No in most cases intermediate certificates are
additionally required. Either way, this doesn't actually change things:
think of it as "SSL certificate and certificate chain" if you want some
better mnemonic.

The fact remains that "ssl_certificate" is singular, and its description is
less than clear. 
So, thank you for the explanation, because it completes the original
description. 

Certificate chains are way longer than 2 (leaf + ca) nowadays. CRL checks
can encompass 20+ nodes. 
It is for this reason, the lenght of the chain, that I still remain of the
opinion that "ssl_certificate" ought to 
be limited to the leaf's own public certificate. The intermediates ought to
be bundled on a separate file. 

Labels...

ssl_certificate_key -----> ssl_private_certificate[...cough...]_key
ssl_certificate 1/2 ------> ssl_public_certificate
ssl_certificate 2/2 -------> ssl_public_intermediate_certificates
ssl_trusted_certificate -> ssl_public_ca_certificate

I hate the first two, and definitely prefer the original. 
The third could simply be "ssl_intermediates", and the fourth "ssl_ca". 
Whatever, I think they will stay as they are anyway. 

> security.OCSP.GET.enabled is set to "false" by default 

In my FF it set to "false" too, and flipping it does not make any
difference, 
so my local problem is neither with GET nor with POST. 

It turns out that the problem is "security.ssl.enable_ocsp_stapling", which
is
"true" by default. If I disable it, then FF loads the web sites. If I
re-enable it, 
then FF complains again: 

> Secure Connection Failed
> An error occurred during a connection to madreacqua.org. 
> Invalid OCSP signing certificate in OCSP response. 
> (Error code: sec_error_ocsp_invalid_signing_cert)
>
> The page you are trying to view cannot be shown because the authenticity 
> of the received data could not be verified.
> Please contact the website owners to inform them of this problem.

If FF is correct, then nginx is returning a bad certificate, and we are back
to square one. 

Is it the bundle of certificates? No, because I have verified the chain from
nginx,
both by hand and automatically with openssl and libressl. 

It is GET instead of POST again? No, it is not, because FF "fails" in both
cases.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,257833,258731#msg-258731