B.R.:
I want to have details about the status nginx' validation of the initial
OCSP query it did to the OCSP responder of the CA, especially when it goes
wrong.
we do not let nginx fetch the ocsp data itself but use ssl_stapling_file.
a cronjob call openssl and VERIFY the ocsp resonse.
OCSP_RESPONSE='/path/to/ocsp_response_file' # ssl_stapling_file
in nginx.conf
# all intermediate and root certificates exept the certificate itself
CA_CHAIN='/tmp/ca_chain.pem'
cat intermediate.pem root.pem > $CA_CHAIN
DIRECT_ISSUER='root.pem' # or intermediate.pem, exact one certificate
CERT='cert.pem' # for this certificate we need the OCSP
response...
OCSP_URI=`openssl x509 -noout -text -in ${CERT} | grep 'OCSP -
URI:' | cut -d: -f2,3`
openssl ocsp -no_nonce \
-respout ${OCSP_RESPONSE}.tmp \
-CAfile ${CA_CHAIN} \
-issuer ${DIRECT_ISSUER} \
-cert ${CERT} \
-url ${OCSP_URI}
${EXTRA_ARGS}
if [ $? -eq 0 ]; then
# handle error
fi
# success
mv ${OCSP_RESPONSE}.tmp ${OCSP_RESPONSE}
killall -HUP nginx
EXTRA_ARGS handle some special tweaks
- Startcom: https://forum.startcom.org/viewtopic.php?f=15&t=2661
EXTRA_ARGS='-header HOST ocsp.startssl.com'
- Let's Entrypt:
https://community.letsencrypt.org/t/unable-to-verify-ocsp-response/7264/3
EXTRA_ARGS='-header HOST ocsp.int-x1.letsencrypt.org -verify_other
${DIRECT_ISSUER}'
you may want to adjust to your needs.
Andreas
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
