Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt Handling OCSP stapling cache on Nginx

Discussion in 'Domains, DNS, Email & SSL Certificates' started by petecooper, Apr 13, 2020.

  1. petecooper

    petecooper New Member

    3
    0
    1
    Mar 4, 2020
    Ratings:
    +0
    Local Time:
    12:27 AM
    1.19.0
    ––
    After a few days of tearing my hair out, it appears Nginx does not prime its OCSP cache for a site for the very first visitor. This can result in TLS errors (MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING on Firefox is quite a common one) for browsers, and TLS tests incorrectly report non-functioning OCSP stapling, since Nginx won't provide one on the first hit.

    The solution, I think, is to prime the cache so the first hit does get an OCSP stapled response. I think I could run OpenSSL once for each site to populate the cache, and add that to a cron task, but is there another way to do it? I suppose I could have a task run to visit all the sites a few times over to prime the pot, but that seems a bit of a blunt approach.

    Thank you for reading, any advice and/or feedback very warmly welcomed.
     
  2. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    9:27 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    This only happens when you issue and use SSL certificates with an optional/additional OCSP must staple extension flag. Normal SSL certificate issuance doesn't include the OCSP must staple extension flag. Centmin Mod doesn't at least in it's default Nginx HTTPS configurations due to as you said Nginx OCSP implementation is to serve OCSP responses on a per worker basis and the first request by visitor does not get a OCSP response immediately but is cached for subsequent response. So it takes a few visits to prime OCSP responses cache as each Nginx worker has its own cache.

    Only way as Nginx can optionally support OCSP stapled response file which you need to programically create via a cronjob as the OCSP responses are usually only valid for specific period like 5 days or so.

    If you know how to code, you could develop your own separate OCSP server to handle just the OCSP stapled response and prefetch it High-reliability OCSP stapling and why it matters
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    9:27 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Note the differences too with OCSP must staple extension enabled in your SSL letsencrypt certificate.
    • Nginx default native OCSP response cache method will cache subsequent OCSP requests eventually once all nginx workers have been cache primed. So only 1st visit won't have OCSP response
    • Whereas if you do OCSP stapled file cache with cronjob, all requests even 1st request will get a OCSP stapled cached response. However, if the cronjob process fails to cache and/or OCSP staple cached, then all your requests subsequent + first will fail and you've effectively DOS attacked your own site as any browser visitor request will fail to load your site as browser would of been instructed by the OCSP must staple extension in your SSL cert to check for revocation/OCSP
    • Also OCSP stapled file cached response does not support Nginx dual RSA + ECC SSL certificate support SSL - Nginx 1.11.0 introduces dual ECDSA + RSA SSL certificate support !. It can only support 1 SSL certificate and not multiple SSL certificates per domain name.
     
  4. eva2000

    eva2000 Administrator Staff Member

    44,477
    10,164
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,726
    Local Time:
    9:27 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x