Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuring OCSP #340

Open
pikausp opened this issue Apr 8, 2022 · 6 comments
Open

Configuring OCSP #340

pikausp opened this issue Apr 8, 2022 · 6 comments
Assignees
@YashasviChaurasia
Labels
hacktoberfest Issues folks can work on for Hacktoberfest help wanted Extra attention is needed

Comments

@pikausp
Copy link

pikausp commented Apr 8, 2022

Information

https://whatismybrowser.com/w/QCB7F49

Help request

Problem

OCSP is not enabled after using the generated configuration. Multiple tools (digicert helpers, ssllabs, openssl) report that OCSP is disabled. I made sure I was checking this on subsequent requests due to asynchronicity of the OCSP fetch.

What I have tried

The OCSP stapling configured in the nginx.conf

# OCSP Stapling
ssl_stapling           on;
ssl_stapling_verify    on;
resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout       2s;

The trusted certificate configured in the server block (some systems might require this when ssl_stapling_verify is on)

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
@MattIPv4 MattIPv4 added help wanted Extra attention is needed hacktoberfest Issues folks can work on for Hacktoberfest labels Apr 8, 2022
@YashasviChaurasia
Copy link

I would like to work on this issue.
Could you please elaborate on the issue and assign it to me?
Thank you.

@MattIPv4
Copy link
Member

👋 @YashasviChaurasia Happy to assign this to you -- I believe this issue involves doing some investigation work into why exactly the referenced tooling reports that OCSP is disabled when the configuration generated by the tool includes OCSP.

@YashasviChaurasia
Copy link

YashasviChaurasia commented Oct 18, 2022
edited

@MattIPv4

 When enabling and/or configuring OCSP Stapling on your servers, keep in mind that the OCSP request from your server to the CA must be allowed access through your firewall

have we checked this?

@MattIPv4
Copy link
Member

MattIPv4 commented Oct 18, 2022
edited

I have not investigated this, no. This issue is to investigate what is happening, which may mean you need to setup a test NGINX server to see if OCSP is working, and why it isn't if it isn't.

@YashasviChaurasia
Copy link

How would I submit PR for this issue? I would like this issue to add up to my hacktoberfest PRs.
I would work on this issue anyways but is there a way in which I can make it count?

@MattIPv4
Copy link
Member

If there is a bug in how we configure OCSP in the tool, then there'd be a need for a PR to fix that. But first, investigation needs to be done to see if the tool actually causes OCSP to not work, or if the issue is unrelated to the config the tool produces.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@YashasviChaurasia YashasviChaurasia

Labels
hacktoberfest Issues folks can work on for Hacktoberfest help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pikausp @MattIPv4 @YashasviChaurasia