/certbot

Nginx OCSP stapling ssl_trusted_certificate #1813

Closed
pupboss opened this Issue Dec 7, 2015 · 6 comments

Comments

Assignees
No one assigned
Labels
area: ocsp
Projects
None yet
Milestone
No milestone
4 participants
@pupboss @riyadhalnur @moseslecce @pde
@pupboss

pupboss commented Dec 7, 2015

After running the ./letsencrypt-auto command, we got four files: privkey.pem, cert.pem, chain.pem, fullchain.pem.

For OCSP stapling configuration of Nginx, we also need a cert which include the cert.pem, chain.pem, and DST Root CA X3 cert.

Please rename fullchain.pem to cert_nginx.pem and generate a real full chain certificate.

Here is the content of DST Root CA X3:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
@riyadhalnur

riyadhalnur commented Dec 9, 2015

Using the fullchain.pem as the ssl_certificate and cert.pem as the ssl_trusted_certificate for stapling works fine
@pupboss

pupboss commented Dec 9, 2015

@riyadhalnur OK, I'll try it now thanks :)
@pupboss

pupboss commented Dec 9, 2015

Cool, I got it!

@pupboss pupboss closed this Dec 9, 2015

@riyadhalnur

riyadhalnur commented Dec 9, 2015

Awesome. Btw I wrote a piece on getting started with Let's Encrypt - https://blog.verticalaxisbd.com/using-lets-encrypt-to-secure-your-site/
@pupboss

pupboss commented Jan 2, 2016

Maybe the last time I tested it successful because of the Cache. OCSP always have a three days validity.

I tested it just now, but failed.

The office document said stapling ssl_trusted_certificate need the root cert.

After appending the root cert below the full chain, it worked.
@moseslecce

moseslecce commented Jan 5, 2016

I am also having an issue with correctly accessing the OCSP Stapling functionality from inside nginx. I believe the problem may have something to do with a HOST header. For example, when using the openssl command line tool to try and get a response from the letsencrypt server I get a 400 code unless I send a HOST header. I believe that nginx is not sending this header.

E.g:

openssl ocsp -issuer /etc/letsencrypt/live/site.com/chain.pem -cert /etc/letsencrypt/live/site.com/cert.pem -text -url http://ocsp.int-x1.letsencrypt.org/

Error querying OCSP responsder
140086612608672:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:250:Code=400,Reason=Bad Request

openssl ocsp -issuer /etc/letsencrypt/live/site.com/chain.pem -cert /etc/letsencrypt/live/site.com/cert.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST" "ocsp.int-x1.letsencrypt.org"

Gets a full response with a few items that look a bit wrong:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
Produced At: Jan 5 14:36:00 2016 GMT
Responses:
........
........
WARNING: no nonce in response
Response Verify Failure
140395530196640:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:
/etc/letsencrypt/live/site.com/cert.pem: good
This Update: Jan 5 14:00:00 2016 GMT
Next Update: Jan 12 14:00:00 2016 GMT

@pde pde added the area: ocsp label Jun 14, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment