Closed MarcelWaldvogel closed 3 years ago
I'm afraid I have no intention of supporting OCSP.
No problem. Anyone interested in basic OCSP stapling support can just add
ssl_stapling on;
to CUSTOM_NGINX_SERVER_CONFIG_BLOCK
.
Please note, that this is not safe when the "must_staple" option has been set and the Let's Encrypt OCSP servers have been down at last stapling update. This is a rare combination and should be fixed in nginx
, anyway, IMHO.
What do you think about providing stapling support?
It seems that just using
ssl_stapling on;
is prone to OCSP server outages. However, there seems to be a workaround which is based on managing OCSP responses outside ofnginx
.I think the daily certificate renewal check could also take care of trying to obtain a new OCSP response if more than half of its lifetime has already passed (for Let's Encrypt, the lifetime is 7d, according to the a Let's Encrypt engineer) and storing it in the
ssl_stapling_file
, if successful.