Why am I unable to make OCSP Stapling work with my nginx, libressl on FreeBSD 12.0-STABLE setup?

Question

After hours of trying I have to get help for my issue. I am trying to get OCSP stapling to work with my setup, but am not successful in doing so.

Here is my nginx configuration, without any non-relevant bits.

user www www;
worker_processes 5;
error_log /var/log/nginx/error.log;
events {
    worker_connections 1024;
}

http {
include mime.types;
index index.html index.htm;

log_format   main '$remote_addr - $remote_user [$time_local]  $status '
'"$request" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

aio on;

sendfile on;
autoindex on;
autoindex_exact_size off;

tcp_nopush on;
tcp_nodelay on;

ignore_invalid_headers on;

keepalive_timeout 70;

gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_types text/plain text/css application/xml application/javascript application/json font/opentype text/cache-manifest text/x-cross-domain-policy text/xml application/x-javascript;
gzip_vary on;

ssl_certificate fullchain.pem;
ssl_certificate_key server.key;
ssl_trusted_certificate trusted.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_dhparam dh4096.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000";
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1, mode=block";
add_header Content-Security-Policy "upgrade-insecure-requests";
map "$scheme:$http_upgrade_insecure_requests" $shouldUpgrade {
    default 0;
    "http:1" 1;
}

map $http_accept $webp_suffix {
    default "";
    "~*webp" ".webp";
}

expires -1;
add_header Cache-Control "public";

server {
    listen 80;

    listen [::]:80;
    listen 443 ssl http2;

    server_name localhost ;
    access_log /var/log/nginx/access.log main;
    root /www/;
    error_page 404 /404.html;

    if ($shouldUpgrade) {
        return 307 https://$host$request_uri;
    }

}
}

I am getting an error in the log files:

2019/04/30 21:28:07 [error] 28718#100839: OCSP_basic_verify() failed (SSL: error:27FFF076:OCSP routines:CRYPTO_internal:signer certificate not found) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 2.16.100.83:80, certificate: "/usr/local/etc/nginx/fullchain.pem"

No matter what I try to include in the file given to ssl_trusted_certificate, I could not fix this. I tried including the full chain, adding the root CA to it, only the CA, only the intermediary. Adding the root CA into the fullchain.pem file given to ssl_certificate results in errors on SSL verification websites.

Despite all of that, I am still prompted by a OCSP Stapling not enabled. on https://ssldecoder.org and OCSP response: no response sent when using openssl s_client

Any help would be appreciated. I am using let's encrypt.

`ssl_trusted_certificate` should contain all certificates needed to verify the OCSP response. It is not clear which certificates are this in your case since nothing is known about the CA you are using and who is issuing the OCSP responses for this CA. — Steffen Ullrich, Apr 30 '19 at 21:36
@MichaelHampton I have tried both using the contents of fullchain.pem, which have the CA intermediate certificate and mine. I have also tried to add to that the root certificate of the CA, to the end of trusted.pem. The error message still mentions not finding the signer certificate in fullchain.pem, which is used by ssl_certificate only. — Cubox, May 01 '19 at 17:22
@SteffenUllrich I have specified that I am using https://letsencrypt.org/certificates/. The Root CA is https://letsencrypt.org/certs/isrgrootx1.pem.txt while the intermediate is https://letsencrypt.org/certs/letsencryptauthorityx3.pem.txt, their OCSP seems to be ocsp.int-x3.letsencrypt.org according to the nginx error message. — Cubox, May 01 '19 at 17:23
Just to make sure, I recreated trusted.pem using `cat server.crt ca.pem isrgrootx1.pem > trusted.pem` This has not helped — Cubox, May 01 '19 at 17:27
@Cubox: I have no idea what `ca.pem` is and `server.crt` is irrelevant for checking the OCSP response. I've just put your `letsencryptauthorityx3.pem.txt` and `isrgrootx1.pem.txt` into `trusted.pem` since these are the certificates needed to verify the OCSP response. Works perfectly for me as I expected. — Steffen Ullrich, May 01 '19 at 19:45
@SteffenUllrich Sorry for not explaining, ca.pem is just letsencryptauthorityx3.pem.txt. I will try with just the root and intermediate certs. — Cubox, May 02 '19 at 18:05
@SteffenUllrich I have remade trusted.pem, like you described, with it's contents being (can't paste here : https://paste.cubox.dev/m9pJj). Still no luck... — Cubox, May 02 '19 at 18:10
I have tried to get an OCSP response using openssl directly `openssl ocsp -verify_other fullchain.pem -issuer trusted.pem -cert server.crt -text -url http://ocsp.int-x3.letsencrypt.org -header "Host" "ocsp.int-x3.letsencrypt.org"` and got a response (https://paste.cubox.dev/ZPoZ5) — Cubox, May 02 '19 at 18:45
@Cubox: there does not seem to be any problem with the response you got. — Steffen Ullrich, May 02 '19 at 20:36
*"I have remade trusted.pem, like you described..."* - there are no actual certificates in the file you show. It contains only the textual interpretation of the certificates but not the certificates itself. Please use the contents of the PEM files instead. — Steffen Ullrich, May 02 '19 at 20:38
@SteffenUllrich The paste I linked contained the contents as described when read by OpenSSL as text. The actual file contents is https://paste.cubox.dev/Dcbav — Cubox, May 03 '19 at 09:18
@SteffenUllrich I agree that the response is fine when using openssl ocsp directly, this only adds to why I'm confused when nginx fails to staple. — Cubox, May 03 '19 at 09:21

pepe · Accepted Answer · 2019-05-13T06:22:43.350

2

FreeBSD security/libressl was recently upgraded to 2.9.1. OCSP stapling has stopped working in nginx for me as well since the version change in LibreSSL, so I'm assuming there is an underlying issue in the library or nginx' interaction with it.

Edit: In the meantime, Elias Ohm has analyzed this in more detail on the FreeBSD bug tracker. TL;DR: It's an nginx bug, it's using the wrong function to access the certificate chain when using the newer OpenSSL API.

edited May 13 '19 at 06:22

answered May 06 '19 at 06:24

pepe

36
2

[LibreSSL has added a fix](https://github.com/libressl-portable/portable/issues/532) in their repository today, not sure when it will land in ports. – pepe Jan 02 '20 at 13:34

Why am I unable to make OCSP Stapling work with my nginx, libressl on FreeBSD 12.0-STABLE setup?

1 Answers1