SSL OCSP stapling won't enable

Detlef_R · December 14, 2013, 8:07am

According to ssllabs.com SSL OCSP stapling is not enabled, even though I
have the following in my http block:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.trust.crt;
resolver 8.8.4.4 8.8.8.8 valid=600s;
resolver_timeout 15s;

Any idea why? Here is my full ssllabs.com report:
SSL Server Test: commando.io (Powered by Qualys SSL Labs)

Posted at Nginx Forum:

justin · December 14, 2013, 9:13pm

Only when I set ssl_stapling_verify off;I can get OCSP stapling to
work on my setup. In my experience helps to (re)load the page a few
times before testing with SSLLabs to give the server time to fetch the
OCSP response.

Best regards
MacLemon

justin · December 15, 2013, 2:38am

I’m using startssl for my certificates so had problems with the
ssl_trusted_certificate too.

just using resolver and ssl_stapling on got mine enabled.

https://www.ssllabs.com/ssltest/analyze.html?d=stevewilson.co.uk

Using openssl on the console’s helpful too:

openssl s_client -connect www.stevewilson.co.uk:443
-tls1 -tlsextdebug -status < /dev/null| grep OCSP

Not working yet gives “OCSP response: no response sent”

give it time to gather the data and it then gives response data.

Steve.

justin · December 16, 2013, 2:44am

Steve,

Yeah, I am getting OCSP response: no response sent. Should I try
ssl_stapling_verify off;

Any other ideas? Thanks.

Posted at Nginx Forum:

justin · December 16, 2013, 5:14pm

This configuration is working for me. Perhaps nginx cannot verify the
OCSP
response with the bundle in /etc/pki/tls/certs/ca-bundle.trust.crt ? In
my
ssl_trusted_certificate file, I have these certificates, in order.

C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification
Authority
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=Sign In, CN=Go Daddy Secure
Certification Authority/serialNumber=07969287

I put my file in Go Daddy Nginx ssl_trusted_certificate - Pastebin.com for reference.
Hope this helps!

Ryanne

Posted at Nginx Forum:

justin · December 16, 2013, 5:23pm

To add a bit more info, I see your site is using a Go Daddy G2 (SHA2)
cert.
In that case, here is the intermediate/root chain you’ll want to use as
ssl_trusted_cetificate.

C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc.,
OU=Repository, CN=Go Daddy Secure Certificate
Authority - G2
C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root
Certificate Authority - G2

Ryanne

Posted at Nginx Forum:

justin · December 16, 2013, 8:27pm

Thanks so much, that worked perfectly using
Go Daddy G2 Nginx ssl_trusted_certificate - Pastebin.com.

Danke!

Posted at Nginx Forum: