How to enable OCSP stapling when default server is self-signed?

Wed Sep 28 16:44:45 UTC 2016

Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Sun, Apr 12, 2015 at 12:21:19PM -0400, numroo wrote:
> 
> > >> Yes, I ran the s_client command multiple times to account for the
> nginx
> > >> responder delay. I was testing OCSP stapling on just one of my
> domains.
> > >> Then I read that the 'default_server' SSL server also has to have
> OCSP
> > >> stapling enabled for vhost OCSP stapling to work:
> > >>
> > >> https://gist.github.com/konklone/6532544
> > >
> > >There is no such a requirement.
> > 
> > I have the same problem here.
> > 
> > openssl s_client -servername ${WEBSITE} -connect ${WEBSITE}:443
> -tls1
> > -tlsextdebug -status|grep OCSP
> > 
> > Always returns the following on all virtual hosts no matter on how
> many
> > times I try:
> > OCSP response: no response sent
> > 
> > But as soon that I disable my self-signed default host and restart
> Nginx, I
> > get a successfull repsonse on the second request on all CA signed
> hosts:
> > OCSP Response Status: successful (0x0)
> 
> As previously suggested, tests with trivial config and debugging 
> log may help to find out what goes wrong.
> 

I wanted to mention that I've run into this issue as well when trying to
enable OCSP stapling, where I have a default_deny SSL server that has a
self-signed certificate where I don't want to use OCSP stapling, and other
actual server entries for actual sites where I want OCSP stapling enabled. 
If I enable stapling for only the real sites, it appears to be silently
disabled.  If I enable it for all server instances, it notices that the
default server uses a self-signed certificate and disables stapling.  If I
remove the default server, OCSP stapling works for the remaining sites, but
then accessing the site using a means other than the correct server name
provides the SSL certificate for one of the servers.

I tried enabling the debug log but there are no [debug] entries containing
anything about OCSP in any of the above instances (only a [warn] entry is
added when the self-signed certificate is configured for the default server
with OCSP stapling enabled).

It would seem to me that for a parameter in the server {} block to be
affected by the parameter's value in other server {} blocks is a bug.

I apologize for coming to the show late; I hadn't cared about optimizing SSL
as much until more recently, and I haven't been able to find anyone
discussing this issue aside from here (and on various how-to's generally
describing the behavior I have confirmed through testing).

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,257833,269916#msg-269916