How to enable OCSP stapling when default server is self-signed?

173279834462 nginx-forum at
Thu May 7 15:54:21 UTC 2015

> Note that this isn't really indicate anything: there are two forms of OCSP
requests, POST and GET. And Firefox uses POST, while nginx uses GET. Given
the fact that the responder was completely broken just a few days ago - it's
quite possible that it's still broken for GETs in some cases.

To comply with local security policy, we disabled POST globally on all
public-facing servers. 
This has the advantage of killing web 2.0 and all of its vulnerabilities
with one simple rule, emphasis on *killing web 2.0*. 
Yes, the sites are read-only, and we just love it that way. 

For each vhost, 
"ssl_certificate_key" includes the vhost's private key, 
"ssl_certificate" includes the vhosts's public key (leaf) AND the
intermediate key of the Issuer, 
"ssl_trusted_certificate" includes the certificate chain in full (leaf +
intermediate + root CA), 
all in PEM format. 

The openssl test works as expected:

vhost="<your-domain-here>"; echo Q | openssl s_client -CAfile
/path/to/your/local/trust/store/ca-bundle.pem -tls1 -tlsextdebug -status
-connect $vhost:443 -servername $vhost 2>&1 | less

There are two problems. 

problem 1

nginx's "ssl_certificate" (note the singular) is truly a bundle of the
certificate and the intermediate. 
In fact, if we remove the intermediate, we break the chain. 

The description for "ssl_certificate" is also misleading. 

"Specifies a file with the certificate in the PEM format for the given
virtual server. If intermediate certificates should be specified in addition
to a primary certificate, they should be specified in the same file in the
following order: the primary certificate comes first, then the intermediate
certificates. A secret key in the PEM format may be placed in the same file.

Although the above sentence "If intermediate certificates should be
specified" suggests that one may omit the intermediate certificate, in
reality you can only do this if you are the CA. I do not wish to sound
opinionated here, because I am making an effort to stick to the facts: if we
remove the intermediate, we do break the chain and the openssl test
complains loudly. 

Therefore, if your own facts correspond to the above, then the solution is
to edit nginx's source to limit "ssl_certificate" to the leaf's public key
only, and correct the description accordingly. The intermediate(s) can be
bundled in a separate file. 

It would be easier on the eyes to re-write the keywords as well: 

ssl_certificate_key -----> private_certificate
ssl_certificate 1/2  ------> public_certificate
ssl_certificate 2/2 -------> public_intermediate_certificates
ssl_trusted_certificate -> public_ca_certificate

In so doing, the configuration would finally be unambiguous. 

problem 2

If it is true that FF uses POST to *read*, by default, then this explains
the original problem with OCSP, and the fact that nginx is well configured
and openssl and other browsers do work as expected. Google and other search
engines show that Firefox has been affected by this OCSP problem for a long
time. Perhaps they could start using GET like everybody else?

Posted at Nginx Forum:,257833,258726#msg-258726

More information about the nginx mailing list