Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
OCSP responder doesn't support multiple cert status request #2331
I deployed parallel ECDSA+RSA certs on nginx, whereas I cannot get
The certs are both issued by Let’s Encrypt Authority X3.
openssl ocsp -issuer lets-encrypt-x3-cross-signed.pem \ -cert ecc.pem \ -cert rsa.pem \ -no_nonce \ -resp_text \ -url http://ocsp.int-x3.letsencrypt.org/ \ -header "HOST" "ocsp.int-x3.letsencrypt.org"
You can see two
Then I tried
You're correct that Let's Encrypt's OCSP responder doesn't support multiple certificate status requests.
Ideally, Nginx should be configurable such that it has a separate ssl_stapling_file for each certificate, but I'm guessing that's not possible. Do you think it's reasonable to file a bug report on Nginx?
Actually I had found an issue on Nginx before I opened one here, the ticket was set to invalid. It seems that the guy didn't get the point exactly, 'cause we just need
For me, as a user, each side of you who achieve this feature would be grateful to.
Closing this issue. There is no way we can serve multiple responses to a request with multiple certificate IDs without redesigning our OCSP signing service and doing live signing (the latter of which we explicitly do not want to do).
We agree this is something that should be fixed at the webserver level and will follow up on the relevant nginx + Apache tickets to try and get this fixed.