How to check nginx OCSP verification
A. Schulze
sca at andreasschulze.de
Tue Mar 1 20:01:15 UTC 2016
B.R.:
> I want to have details about the status nginx' validation of the initial
> OCSP query it did to the OCSP responder of the CA, especially when it goes
> wrong.
we do not let nginx fetch the ocsp data itself but use ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.
OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file
in nginx.conf
# all intermediate and root certificates exept the certificate itself
CA_CHAIN='/tmp/ca_chain.pem'
cat intermediate.pem root.pem > $CA_CHAIN
DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one certificate
CERT='cert.pem' # for this certificate we need the OCSP
response...
OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -
URI:' | cut -d: -f2,3`
openssl ocsp -no_nonce \
-respout ${OCSP_RESPONSE}.tmp \
-CAfile ${CA_CHAIN} \
-issuer ${DIRECT_ISSUER} \
-cert ${CERT} \
-url ${OCSP_URI}
${EXTRA_ARGS}
if [ $? -eq 0 ]; then
# handle error
fi
# success
mv ${OCSP_RESPONSE}.tmp ${OCSP_RESPONSE}
killall -HUP nginx
EXTRA_ARGS handle some special tweaks
- Startcom: https://forum.startcom.org/viewtopic.php?f=15&t=2661
EXTRA_ARGS='-header HOST ocsp.startssl.com'
- Let's Entrypt:
https://community.letsencrypt.org/t/unable-to-verify-ocsp-response/7264/3
EXTRA_ARGS='-header HOST ocsp.int-x1.letsencrypt.org -verify_other
${DIRECT_ISSUER}'
you may want to adjust to your needs.
Andreas
More information about the nginx
mailing list