search

digitalocean / nginxconfig.io

⚙️ NGINX config generator on steroids 💉
https://do.co/nginxconfig
MIT License
27.38k stars 2.01k forks source link

Configuring OCSP #340

Open pikausp opened 2 years ago

pikausp commented 2 years ago

Information

https://whatismybrowser.com/w/QCB7F49

Help request

Problem

OCSP is not enabled after using the generated configuration. Multiple tools (digicert helpers, ssllabs, openssl) report that OCSP is disabled. I made sure I was checking this on subsequent requests due to asynchronicity of the OCSP fetch.

What I have tried

The OCSP stapling configured in the nginx.conf

# OCSP Stapling
ssl_stapling           on;
ssl_stapling_verify    on;
resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout       2s;

The trusted certificate configured in the server block (some systems might require this when ssl_stapling_verify is on)

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
YashasviChaurasia commented 1 year ago

I would like to work on this issue. Could you please elaborate on the issue and assign it to me? Thank you.

MattIPv4 commented 1 year ago

👋 @YashasviChaurasia Happy to assign this to you -- I believe this issue involves doing some investigation work into why exactly the referenced tooling reports that OCSP is disabled when the configuration generated by the tool includes OCSP.

YashasviChaurasia commented 1 year ago

@MattIPv4 

 When enabling and/or configuring OCSP Stapling on your servers, keep in mind that the OCSP request from your server to the CA must be allowed access through your firewall

have we checked this?

MattIPv4 commented 1 year ago

I have not investigated this, no. This issue is to investigate what is happening, which may mean you need to setup a test NGINX server to see if OCSP is working, and why it isn't if it isn't.

YashasviChaurasia commented 1 year ago

How would I submit PR for this issue? I would like this issue to add up to my hacktoberfest PRs. I would work on this issue anyways but is there a way in which I can make it count?

MattIPv4 commented 1 year ago

If there is a bug in how we configure OCSP in the tool, then there'd be a need for a PR to fix that. But first, investigation needs to be done to see if the tool actually causes OCSP to not work, or if the issue is unrelated to the config the tool produces.