OCSP stapling: automatic updates

Rafa_F · September 7, 2015, 4:18pm

Hello,

nginx is not updating the ocsp response cache:

This Update: Sep  5 08:36:32 2015 GMT
Next Update: Sep  7 08:36:32 2015 GMT

It is 16:09, so the cache is 8h behind.

How would you diagnose and solve this problem?

A related question is the duration of the cache.
The local server uses 2 days, as shown above.
How would you change this duration to, say, 8 days?

This is an example of an 8 days cache:

echo QUIT | openssl s_client -CAfile /etc/ssl/ca-bundle.pem -connect
ssllabs.com:443 -servername ssllabs.com -tlsextdebug -status 2>&1 | grep
-A
17 ‘OCSP response:’ | grep -B 17 ‘Next Update’

OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = “Entrust, Inc.”, OU = See
Legal and Compliance, OU = “(c) 2012 Entrust, Inc. - for
authorized
use only”, CN = Entrust Certification Authority - L1K, CN = OCSP1
Produced At: Sep 7 02:16:10 2015 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: CC6D221CF6B4552C2F87915F5AFEF0E1EECE83CC
Issuer Key Hash: 82A27074DDBC533FCF7BD4F7CD7FA760C60A4CBF
Serial Number: 50D359F0
Cert Status: good
This Update: Sep 6 06:29:30 2015 GMT
Next Update: Sep 14 02:16:10 2015 GMT <--------------------- 8 days

Thank you,

Posted at Nginx Forum:

1.7328ES11 · September 7, 2015, 7:29pm

Hello!

On Mon, Sep 07, 2015 at 10:17:22AM -0400, 173279834462 wrote:

Hello,

nginx is not updating the ocsp response cache:
This Update: Sep  5 08:36:32 2015 GMT
Next Update: Sep  7 08:36:32 2015 GMT
It is 16:09, so the cache is 8h behind.

How would you diagnose and solve this problem?

OCSP responses are re-requested by nginx after 1 hour, older
responses may be returned only if there are no requests for OCSP
stapling for a long time. If you consistently see an expired
response - this likely means that it’s what OCSP responder of your
CA returns.

Also, as of nginx 1.9.2, there are checks to avoid returning
expired OCSP responses as this confuses some browsers. You may
want to upgrade if you see expired responses returned.

A related question is the duration of the cache.
The local server uses 2 days, as shown above.
How would you change this duration to, say, 8 days?

“This Update” and “Next Update” aren’t something nginx controls,
they are returned by OCSP responder of your CA.

–
Maxim D.
http://nginx.org/