How to check nginx OCSP verification

A. Schulze sca at andreasschulze.de
Tue Mar 1 20:01:15 UTC 2016


B.R.:

> I want to have details about the status nginx' validation of the initial
> OCSP query it did to the OCSP responder of the CA, especially when it goes
> wrong.

we do not let nginx fetch the ocsp data itself but use ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.

     OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file  
in nginx.conf

     # all intermediate and root certificates exept the certificate itself
     CA_CHAIN='/tmp/ca_chain.pem'
     cat intermediate.pem root.pem > $CA_CHAIN

     DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one certificate
     CERT='cert.pem'          # for this certificate we need the OCSP  
response...

     OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -  
URI:' | cut -d: -f2,3`

     openssl ocsp -no_nonce                \
             -respout ${OCSP_RESPONSE}.tmp \
             -CAfile ${CA_CHAIN}           \
             -issuer ${DIRECT_ISSUER}      \
             -cert ${CERT}                 \
             -url ${OCSP_URI}
             ${EXTRA_ARGS}

     if [ $? -eq 0 ]; then
       # handle error
     fi

     # success
     mv ${OCSP_RESPONSE}.tmp ${OCSP_RESPONSE}
     killall -HUP nginx

EXTRA_ARGS handle some special tweaks
  - Startcom: https://forum.startcom.org/viewtopic.php?f=15&t=2661
    EXTRA_ARGS='-header HOST ocsp.startssl.com'

  - Let's Entrypt:  
https://community.letsencrypt.org/t/unable-to-verify-ocsp-response/7264/3
    EXTRA_ARGS='-header HOST ocsp.int-x1.letsencrypt.org -verify_other  
${DIRECT_ISSUER}'

you may want to adjust to your needs.

Andreas



More information about the nginx mailing list