About nginx and OCSP Must-Staple
wordlesswind
i at qingly.me
Thu Feb 24 18:06:06 UTC 2022
Hello guys,
I enabled OCSP Must-Staple, then I found that after restarting nginx, I
always get "MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING" error when
visiting my website for the first time.
I think this error means that the server is not caching OCSP information.
My nginx.conf is as follows:
server {
listen 443 ssl http2 reuseport;
listen [::]:443 ssl http2;
server_name example.org;
ssl_certificate /path/to/ecc/fullchain.cer;
ssl_certificate_key /path/to/ecc/example.org.key;
ssl_certificate /path/to/rsa/fullchain.cer;
ssl_certificate_key /path/to/rsa/example.org.key;
ssl_stapling on;
resolver <internal dns1> <internal dns2> valid=300s;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
ssl_ecdh_curve secp384r1;
ssl_early_data on;
…
}
Since I have ECC and RSA dual certificates configured and they are
intact. Therefore I did not configure "ssl_trusted_certificate".
Do I need to configure other parameters like "ssl_ocsp" to solve the
problem I'm having now?
Also I found a small issue, I noticed that the latest version of Google
Chrome/Microsoft Edge will choose to get RSA certificate instead of ECC
certificate.
RSA 4096 R3
ECC 384 E1
Issuer Let's Encrypt
I wonder why Chromium made this choice. Thank you!
Best Regards,
wordlesswind
More information about the nginx
mailing list