search

SteveLTN / https-portal

A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
MIT License
4.46k stars 295 forks source link

OCSP stapling? #264

Closed MarcelWaldvogel closed 3 years ago

MarcelWaldvogel commented 3 years ago

What do you think about providing stapling support?

It seems that just using ssl_stapling on; is prone to OCSP server outages. However, there seems to be a workaround which is based on managing OCSP responses outside of nginx.

I think the daily certificate renewal check could also take care of trying to obtain a new OCSP response if more than half of its lifetime has already passed (for Let's Encrypt, the lifetime is 7d, according to the a Let's Encrypt engineer) and storing it in the ssl_stapling_file, if successful.

SteveLTN commented 3 years ago

I'm afraid I have no intention of supporting OCSP.

MarcelWaldvogel commented 3 years ago

No problem. Anyone interested in basic OCSP stapling support can just add

ssl_stapling on;

to CUSTOM_NGINX_SERVER_CONFIG_BLOCK.

Please note, that this is not safe when the "must_staple" option has been set and the Let's Encrypt OCSP servers have been down at last stapling update. This is a rare combination and should be fixed in nginx, anyway, IMHO.