New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WoSign OCSP stapling with nginx
Hi,
following the recommendation on ohling.org I wanted to set up OCSP stapling for my website running nginx with the free WoSign cert.
Using the guide on DigitalOcean I already fail with converting the root CA from DER to PEM...
Is there any fool-proof guide for this or are there any specific things to take care of when doing this with WoSign certs?
Thanks!
Comments
Have you followed these ??
From what I understand, if you are using the certificate in the "for nginx" archive (which contains your certificate, the intermediate CA and the root CA) you can simply configure nginx this way so that it will automatically do the queries to the OCSP "server-side when needed":
Instead of querying the OCSP server-side you can get the result from their certificates saved locally:
add this line in nginx to the previous configuration:
But from what I've read you have to keep that ca-certs.pem file updated and I'm not sure if nginx will take care of that or you have to it in a cron job.
Source:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
When set, the stapled OCSP response will be taken from the specified file instead of querying the OCSP responder specified in the server certificate.
Thanks, this is just what I was looking for!
I've been getting BAD GATEWAY for more than 10 hours from Wosign when querying their revocation server at http://ocsp6.wosign.com/ca6/server1/free
Anyone else seeing this problem? I think those OCSP certs are only valid for 48h or so. I don't know what happens if a browser can't verify the revocation state of a certificate but it probably won't load the site.
I've been getting "Code=404,Reason=Not Found", for a while too - does anyone have any other urls that I should be querying against?
http://ocsp6.wosign.com/ca6/server1/free is the one in my cert also.
Thanks
SUCH CONCERN. Relax, nobody checks these, and if they do, inability to check is not a fatal error (a successful check and the cert in the revoked list may be a different story).
I don't know where did you get this URL, mine are nothing even close.
Also in general I am of the opinion that this "OCSP stapling" is for OCD types with too much time on their hands, e.g. my preferred Lighttpd doesn't even support this at all, and I am not bothered in the slightest. Everything just works without it, and I did not have any kind of slowdown due to SSL, ever.
OCSP lets you know if your connection has been intercepted,
e.g. my workplace has transparent SSL web filtering.
With stapling I get an alert to let me know my connection is not encrypted end-to-end.
With it disabled I get no warning, even though if I manually check the SSL certificate at work it is signed by our work CA rather than the CA I purchased the certificate from.
If that is an issue for you, remove your "work CA" from the list of trusted CAs in your browser. If you are not allowed to, change to a better workplace, one where employer respects the privacy of employees. Or you know, just don't visit non-work-related sites, maybe. OCSP has nothing to do with this, while it might somehow warn you as a side effect, that's not its intended purpose at all.
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate "/path/to/for_apache/root_bundle.crt";
Use the root bundle from the "for apache" zip file.
Just a heads up: Wosign blocks certain IP ranges from accessing their authoritative name servers (i.e. ns8.360wzb.com). This is from an OVH IP range (some src IP work, some don't):
dig +trace ocsp6.wosign.com