Closed nirgal closed 5 years ago
Hi, I don't see the use case. The option does not check if OCSP stapling is working but if the certificate has the must staple option set to true. I
Are you sure? You're the author, so this looks stupid, I know. Here, if I remove "ssl_stapling on" in my nginx config, I get a icinga warning. Also, when I run with the -d flag, I can see a lot of OCSP tests, like
[DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_cert_20181022fqox0n -cert /tmp/check_ssl_cert_20181022bVNxSu -url http://ocsp.int-x3.letsencrypt.org -header HOST=ocsp.int-x3.letsencrypt.org
[DBG] OCSP: response = Response verify OK
[DBG] OCSP: response = /tmp/check_ssl_cert_20181022bVNxSu: good
[DBG] OCSP: response = This Update: Oct 21 22:00:00 2018 GMT
[DBG] OCSP: response = Next Update: Oct 28 22:00:00 2018 GMT
where "Oct 28" is the date of the end of the OCSP window, and not the date of the certificate.
Hi
the test you are quoting is performed regardless of the --require-ocsp-stapling
option. If the certificate specifies an OCSP host for revocation, then the plugin checks it. It has nothing to do with stapling.
Matteo
Hi again
All right, I am not sure about the test. What I know is that your plug in works for OCSP stapling failure detection!
I am doing tests manually like:
openssl s_client -connect mola.greenpeace.fr:443 -servername www.greenpeace.fr -status </dev/null 2>&1 | grep OCSP
When OCSP stapling works, I get something like:
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Subject: C=BE, O=GlobalSign nv-sa/serialNumber=201808150004, CN=AlphaSSL CA - SHA256 - G2 - OCSP Responder
OCSP No Check:
OCSP Signing
When OCSP is not working, I get something like:
OCSP response: no response sent
Actually, the full success contains something like:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
Produced At: Oct 23 06:51:29 2018 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
Serial Number: 0D9740CBE4192770055ADC65
Cert Status: good
This Update: Oct 23 06:51:29 2018 GMT
Next Update: Oct 27 06:51:29 2018 GMT
(...)
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7e:3b:4e:d0:60:0e:69:a7:7e:d0:4b:24
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2
Validity
Not Before: Aug 15 07:57:44 2018 GMT
Not After : Nov 15 07:57:44 2018 GMT
(...)
Here Oct 27 is the end of the stapling window. Nov 15 is the certificate expiration date.
Any way:
I've been fighting with a nginx server that have OCSP stapling that fails from time to time, especially after a reload. Also, OCSP stapling is never working for exactly one of the many domains of that server.
I've been using your script with icinga, and well ... it's working the way I want. I mean, after a "nginx reload", I get many hits where OCSP stapling is not working for a few minutes and then all goes green but for one of the domains. I can reproduce the OCSP stapling monitoring with the command line s_client: It sucks after a reload, but then after a few minutes all is good.
I cannot believe your plugin is not testing OCSP stapling when --require-ocsp-stapling. Sorry.
To go back to my original request: For me, when OCSP stapling not working, is a kind of bad (the client need extra connection to validate OCSP itself), but this is not critical. I would like a simple Warning. Not a Critical.
Does it makes sense?
There is some misunderstanding.
The only thing that the option --require-ocsp-stapling
does is connect and check if the server replies with the next update information Next update:
.
If you explicitly say that you require that the server provides stapling, not providing is clearly a critical problem. It's a binary condition: either stapling is supported or not. It's not something like disk space where a condition could be near a critical condition and thus just a warning.
If you do not require the stapling just don't specify the option. If you require it, then it's a requirement not an option.
The only thing that the option
--require-ocsp-stapling
does is connect and check if the server replies with the next update informationNext update:
.
Next update:
is part of the OCSP stapling answer. If you get that, then the server answer contains an OCSP stapling extension.
Exactly, and if not, then there is no stapling extension.
Hi
Ok. I still would like that feature. Let me explain:
I am running a configuration where the server is set up properly with OCSP answers. (nginx.conf with "ssl_stapling on"; apache.conf with "SSLUseStapling on"). Ssllabs shows that OCSP is working.
My certificate does not contain (letsencrypt/cerbot configuration without "--must-staple").
Basically OCSP is not required in my setup, but offered anyway by my servers.
I detected a bug in nginx where OCSP is not working for several minutes after it stats, so that I really love to have nagios warnings.
My query to you is to have this as a WARNING and not a CRITICAL.
Maybe you could add an option like --require-ocsp-stapling-but-only-warn
Or better, automatically, when --require-ocsp-stapling is used and not provided by the httpd server:
Does that make sense?
I'll take a look
I am not checking if stapling is working but just if it is required. If the certificate has the must-staple flag the check will return OK even if it is not working. I am only checking the certificate not if it's working.
--require-ocsp-stapling
results in critical errors. I believe a warning is enough, in most cases. Please consider changing CRITICAL error to a simple WARNING, unless the certificate contains a OCSP Must Staple extension. (see certbot --must-staple and similar).If some people really need a critical warning when OCSP is unavailable, maybe an extra option would be good?