Why do you recommend adding the root CA for nginx under ssl_trusted_certificate? (OCSP stapling)

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator

https://ssl-config.mozilla.org/

Mozilla Public License 2.0

360 stars 59 forks source link

Why do you recommend adding the root CA for nginx under ssl_trusted_certificate? (OCSP stapling) #148

Closed matrey closed 3 years ago

matrey commented 3 years ago

The configuration states:

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

Are we sure the root CA is actually needed in the bundle?

Context: upcoming expiration of Let's Encrypt cross signed root (DST Root CA X3) in September 2021 The default intermediate chain returned by Let's Encrypt will still link to that root even after it expires (to get a few more years of compatibility on old Android devices) I'm afraid this might impact the OCSP stapling

And it seems like Nginx is happy if provided with the same chain that is sent to clients, without the root CA e.g. https://github.com/certbot/certbot/issues/5098

After trying several variations of pointing to my site cert and the signer's cert chain, just setting both ssl_certificate and ssl_trusted_certificate to point to my bundled cert just worked.

tomato42 commented 3 years ago

Haven't tested nginx but httpd does require root CA certificate so that it can verify the OCSP responses before passing them on to clients, I'd expect nginx to do the same. If that's the case you need to provide a CA certificate to nginx. But it doesn't have to be any particular one, so you can provide only the new CA and chain.

Note that there should be two different certificate bundles, one is the server certficiate + intermediates (this doesn't have to include the CA cert, and by my reading it's the ssl_certificate setting) and a second bundle the set what certificates the nginx will trust when it's configured for client certificate based authentication, a reverse proxy, and an OCSP client (that's the ssl_trusted_certificate).

So... to answer the question, yes a CA certificate is needed in the ssl_trusted_certificate bundle.

matrey commented 3 years ago

I ended up systematically adding the root CA certificates of Let's Encrypt (its own roots ISRG X1 / X2) + Buypass to my ssl_trusted_certificate bundle, in addition to the intermediates returned by Let's Encrypt.

Nginx seems happy with that... though it also seems happy without any CA cert in the bundle, so I'm not sure we can conclude much here (it could just as well be ignoring all the CA certs I provided in the bundle and rely on the system trust store?)

I guess I'll need to keep an eye on OCSP response data around September 30th 2021, when the DST X3 root will expire.