Please add a non-critical OCSP error

[nirgal]

--require-ocsp-stapling results in critical errors. I believe a warning is enough, in most cases. Please consider changing CRITICAL error to a simple WARNING, unless the certificate contains a OCSP Must Staple extension. (see certbot --must-staple and similar).

If some people really need a critical warning when OCSP is unavailable, maybe an extra option would be good?

[matteocorti]

Hi, I don't see the use case. The option does not check if OCSP stapling is working but if the certificate has the must staple option set to true. I

[nirgal]

Are you sure? You're the author, so this looks stupid, I know. Here, if I remove "ssl_stapling on" in my nginx config, I get a icinga warning. Also, when I run with the -d flag, I can see a lot of OCSP tests, like

[DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_cert_20181022fqox0n -cert /tmp/check_ssl_cert_20181022bVNxSu  -url http://ocsp.int-x3.letsencrypt.org  -header HOST=ocsp.int-x3.letsencrypt.org
[DBG] OCSP: response = Response verify OK
[DBG] OCSP: response = /tmp/check_ssl_cert_20181022bVNxSu: good
[DBG] OCSP: response =  This Update: Oct 21 22:00:00 2018 GMT
[DBG] OCSP: response =  Next Update: Oct 28 22:00:00 2018 GMT

where "Oct 28" is the date of the end of the OCSP window, and not the date of the certificate.

[matteocorti]

Hi

the test you are quoting is performed regardless of the --require-ocsp-stapling option. If the certificate specifies an OCSP host for revocation, then the plugin checks it. It has nothing to do with stapling.

Matteo

[nirgal]

Hi again

All right, I am not sure about the test. What I know is that your plug in works for OCSP stapling failure detection!

I am doing tests manually like:

openssl s_client -connect mola.greenpeace.fr:443 -servername www.greenpeace.fr -status </dev/null 2>&1 | grep OCSP

When OCSP stapling works, I get something like:

OCSP response: 
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
        Subject: C=BE, O=GlobalSign nv-sa/serialNumber=201808150004, CN=AlphaSSL CA - SHA256 - G2 - OCSP Responder
            OCSP No Check: 
                OCSP Signing

When OCSP is not working, I get something like:

OCSP response: no response sent

Actually, the full success contains something like:

OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: EE5EFFFE85DB26C626FBD3698410AD1D0DD3EF58
    Produced At: Oct 23 06:51:29 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 84D56BF8098BD307B766D8E1EBAD6596AA6B6761
      Issuer Key Hash: F5CDD53C0850F96A4F3AB797DA5683E669D268F7
      Serial Number: 0D9740CBE4192770055ADC65
    Cert Status: good
    This Update: Oct 23 06:51:29 2018 GMT
    Next Update: Oct 27 06:51:29 2018 GMT
(...)
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7e:3b:4e:d0:60:0e:69:a7:7e:d0:4b:24
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2
        Validity
            Not Before: Aug 15 07:57:44 2018 GMT
            Not After : Nov 15 07:57:44 2018 GMT
(...)

Here Oct 27 is the end of the stapling window. Nov 15 is the certificate expiration date.

Any way:

I've been fighting with a nginx server that have OCSP stapling that fails from time to time, especially after a reload. Also, OCSP stapling is never working for exactly one of the many domains of that server.

I've been using your script with icinga, and well ... it's working the way I want. I mean, after a "nginx reload", I get many hits where OCSP stapling is not working for a few minutes and then all goes green but for one of the domains. I can reproduce the OCSP stapling monitoring with the command line s_client: It sucks after a reload, but then after a few minutes all is good.

I cannot believe your plugin is not testing OCSP stapling when --require-ocsp-stapling. Sorry.

To go back to my original request: For me, when OCSP stapling not working, is a kind of bad (the client need extra connection to validate OCSP itself), but this is not critical. I would like a simple Warning. Not a Critical.

Does it makes sense?

[matteocorti]

There is some misunderstanding.

The only thing that the option --require-ocsp-stapling does is connect and check if the server replies with the next update information Next update:.

If you explicitly say that you require that the server provides stapling, not providing is clearly a critical problem. It's a binary condition: either stapling is supported or not. It's not something like disk space where a condition could be near a critical condition and thus just a warning.

If you do not require the stapling just don't specify the option. If you require it, then it's a requirement not an option.

[nirgal]

The only thing that the option --require-ocsp-stapling does is connect and check if the server replies with the next update information Next update:.

Next update: is part of the OCSP stapling answer. If you get that, then the server answer contains an OCSP stapling extension.

[matteocorti]

Exactly, and if not, then there is no stapling extension.

[nirgal]

Hi

Ok. I still would like that feature. Let me explain:

• The server can offer or not an OCSP signature in its answer.
• The certificate can or not contain a flag saying OCSP check are required by the clients.

I am running a configuration where the server is set up properly with OCSP answers. (nginx.conf with "ssl_stapling on"; apache.conf with "SSLUseStapling on"). Ssllabs shows that OCSP is working.

My certificate does not contain (letsencrypt/cerbot configuration without "--must-staple").

Basically OCSP is not required in my setup, but offered anyway by my servers.

I detected a bug in nginx where OCSP is not working for several minutes after it stats, so that I really love to have nagios warnings.

My query to you is to have this as a WARNING and not a CRITICAL.

Maybe you could add an option like --require-ocsp-stapling-but-only-warn

Or better, automatically, when --require-ocsp-stapling is used and not provided by the httpd server:

• CRITICAL if the certificate contains a "must-staple" flag (The site is not working)
• WARNING otherwise (The site is working fine without the OCSP extension).

Does that make sense?

[matteocorti]

I'll take a look

[matteocorti]

I am not checking if stapling is working but just if it is required. If the certificate has the must-staple flag the check will return OK even if it is not working. I am only checking the certificate not if it's working.