How To Configure OCSP Stapling on Apache and Nginx

Some articles told us to use the dns from google:

resolver 8.8.8.8;

Is it possible to use Digital Ocean DNS ?

Great… ! Using with nginx there is a little issue related to the time to get enabled that is discussed here: https://community.qualys.com/thread/12315 The directive “resolver” tells to the web server which DNS resolver to use to external access. Well… if I do not specify any, the default will be my system’s DNS resolver? Or this is not necessary because we are specifying the CA root and its intermediates? Anybody knows something?

This comment has been deleted

If you append .pem to the end of the DigiCert urls, it will download as PEM instead of DER i.e. you would put: wget -O - https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt.pem

Thanks guys, great guide! Just enabled OCSP stapling on my Nginx cluster.

One thing I noticed is that the command to test the OCSP response does not work correctly with servers that use SNI. For that, you must specify the -servername flag, e.g.:

echo QUIT | openssl s_client -connect www.digitalocean.com:443 -servername www.digitalocean.com -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

Hi Jesin, I’m using a Geotrust SSL-EV in my site. The certificate comes in .crt and .key extentions.

May you help me with the command line to retrieve the CA bundle from Geotrust and convert it to .pem?

Thank you very much in advance!

Hi @jesin, they provided only the intermediate certificate. The other one has my name. I followed a tutorial from here to convert these two files and install it in my server. Thanks for your response and support.

@jesin I checked the error.log and it is returning this message:

2015/06/19 14:37:41 [error] 21257#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get issuer certificate) while requesting certificate status, responder: gk.symcd.com

I downloaded the “Root 3” from this address https://www.geotrust.com/resources/root-certificates/ and I concatenated it with the .crt intermadiate certificate that CA sent to me by e-mail.

Is this the right certificate for use?

Thanks again!

By the way, this is my config file.

• I commented the ssl stapling lines because it isn’t working anyway.*

server { listen 80; server_name mysite.com; return 301 https://www.mysite.com$request_uri; }

server { listen 443 ssl spdy; keepalive_timeout 120; ssl on; ssl_certificate /etc/nginx/ssl/www.mysite.com.crt; ssl_certificate_key /etc/nginx/ssl/www_mysite_com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers AES256+EECDH:AES256+EDH; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_session_cache shared:SSL:20m; ssl_session_timeout 20m; ssl_session_tickets on; ## ssl_stapling on; ## ssl_stapling_verify on; ## resolver 8.8.4.4 8.8.8.8 valid=300s; ## resolver_timeout 10s; ## ssl_trusted_certificate /etc/nginx/ssl/private/ca-certs.pem; add_header Strict-Transport-Security max-age=31536000; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY;

 root /var/www/html;

 location / {
 index index.html index.php;
 try_files $uri $uri/ @handler;
 expires 30d;
 }

 ## These locations need to be denied
 location ^~ /app/ { deny all; }
 location ^~ /includes/ { deny all; }
 location ^~ /lib/ { deny all; }
 location ^~ /media/downloadable/ { deny all; }
 location ^~ /pkginfo/ { deny all; }
 location ^~ /report/config.xml { deny all; }
 location ^~ /var/ { deny all; }

 location /var/export/ {
 auth_basic "Restricted";
 auth_basic_user_file htpasswd; ## Defined at /etc/nginx/htpassword
 autoindex on;
 }
	
 location ~* \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|otf|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|t?gz|tif|tiff|ttf|wav|webm|wma|woff|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
 expires 31536000s;
 access_log off;
 log_not_found off;
 add_header Pragma public;
 add_header Cache-Control "max-age=31536000, public, must-revalidate, proxy-revalidate";
 }

 ## Disable .htaccess and other hidden files
 location ~ /\. { deny all; error_log off; log_not_found off; }
 ##return 404;

 ## ignore common 404s
 location = /robots.txt { access_log off; log_not_found off; }
 location = /favicon.ico { access_log off; log_not_found off; }

	## Magento uses a common front handler
 location @handler {
 rewrite / /index.php;
 }

 ## Forward paths like /js/index.php/x.js to relevant handler
 location ~ .php/ {
 rewrite ^(.*.php)/ $1 last;
 }

 ## php-fpm parsing
 location ~ \.php$ {
 limit_req zone=limit burst=10 nodelay;

 ## Catch 404s that try_files miss
 if (!-e $request_filename) { rewrite / /index.php last; }
 try_files $uri =404;

 ## Disable cache for php files
 expires off;

	## php-fpm configuration
 fastcgi_pass unix:/var/run/php5-fpm.sock;
 fastcgi_param HTTPS on;
 fastcgi_param HTTPS $fastcgi_https;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_param SERVER_NAME $host;
 fastcgi_index index.php;
 include fastcgi_params;

 ## Store code is located at Administration > Configuration > Manage Stores in your Magento Installat$
 fastcgi_param MAGE_RUN_CODE default;
 fastcgi_param MAGE_RUN_TYPE store;

 ## Tweak fastcgi buffers, just in case.
 fastcgi_buffer_size 128k;
 fastcgi_buffers 256 4k;
 fastcgi_busy_buffers_size 256k;
 fastcgi_temp_file_write_size 256k;
 }
 rewrite ^/minify/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;
 rewrite ^/skin/m/([0-9]+)(/.*.(js|css))$ /lib/minify/m.php?f=$2&d=$1 last;

}

Actual Retrieve the CA bundle for StartSSL

wget -O - https://www.startssl.com/certs/ca.pem https://www.startssl.com/certs/class1/sha2/pem/sub.class1.server.sha2.ca.pem | tee -a ca-certs.pem> /dev/null

This comment has been deleted