1

It's my first time to use certbot in docker with nginx

  • nginx version: 1.23.1
  • nginx build : docker (macbre/nginx-http3)
  • OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)

nginx throw this error when tring to use ocsp stabling

nginx: [warn] "ssl_stapling" ignored, not supported

cert seems to support ocsp

openssl x509 -in cert.pem -noout -ocsp_uri
# http://r3.o.lencr.org

nginx ssl conf

# =============================================================================
# default Certificates
ssl_certificate     /certs/dir/cert.pem;
ssl_certificate_key /certs/dir/key.pem;
# =============================================================================
ssl_dhparam         /certs/dir/dhparam.pem;

# =============================================================================
# # OCSP staplingenter code here
ssl_stapling            on;
ssl_stapling_verify     on;

# # verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /certs/dir/chain.pem;

# # replace with the IP address of your resolver
resolver            1.1.1.1 8.8.8.8 8.8.4.4 valid=1200s;
resolver_timeout    3s;

# =============================================================================
# TLS
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# =============================================================================
# 0-RTT QUIC connection resumption
ssl_early_data  on;

# =============================================================================
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4
# Optimize session cache
# ssl_session_timeout 1d;
ssl_session_timeout 4h;
# about 40000 sessions
ssl_session_cache shared:MozSSL:10m;

# Enable session tickets
ssl_session_tickets off;

Those didn't help:

and many of this list: https://stackoverflow.com/search?q=nginx+ocsp

any body has encountered this issue before ?

or could any one tell me how to overcome this ?

I want to setup ocsp with nginx

Abd-Elaziz Sharaf
  • 304
  • 3
  • 18

1 Answers1

2

OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)

Based on this discussion it looks like OCSP stapling when using BoringSSL is not fully supported. While there is a patch to add support for OCSP stapling to nginx it needs to have the OCSP response provided as a file it cannot retrieve it automatically from within nginx from the OCSP responder. To cite:

Due to usage of BoringSSL instead of OpenSSL, some directives may not work, e.g. ssl_conf_command. Besides, direct OCSP stapling via ssl_stapling on; ssl_stapling_verify on; does not work too. You should use ssl_stapling on; ssl_stapling_file /path/to/ocsp;. The OCSP file can be generated via ...

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • 1
    this command saved a lot of things `openssl ocsp -no_nonce -issuer /path/to/intermediate -cert /path/to/cert -url "$(openssl x509 -in /path/to/cert -noout -ocsp_uri)" -respout /path/to/ocsp` – Abd-Elaziz Sharaf Oct 13 '22 at 19:29
  • is there a way to generate the file from local ca in the data center too with openssl ... for that case I have all the certs but no ocsp server ... and thanks for the answer .. it works well – Abd-Elaziz Sharaf Oct 13 '22 at 19:33
  • 1
    @Abd-ElazizSharaf: I don't know of an easy way to create the OCSP response apart from asking the OCSP server for it - but you can run your own OCSP server and ask it. See https://bhashineen.medium.com/create-your-own-ocsp-server-ffb212df8e63 – Steffen Ullrich Oct 14 '22 at 17:22
  • Thanks, I think I need to reconfigure certs, run my oscp server, generate ocsp file, then reconfigure my server, the trick is the first one as I see – Abd-Elaziz Sharaf Oct 15 '22 at 09:29