- 主机:Ubuntu 20.04.2 (5.4.0-67-generic) x64
- 服务器:NGINX 1.18.0(Ubuntu)
- CA:让我们加密
让 OCSP 持续工作确实很困难。任何帮助都将不胜感激。提前致谢。
全新启动、清除缓存(DNS、浏览器)时,从网络外部访问我配置的域时,我将不会收到 OCSP 响应。
以下是一个 OpenSSL 测试:
PS C:\> openssl s_client -connect cdn.example.com:443 -status
CONNECTED(000001A4)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = cdn.example.com
verify return:1
OCSP response: no response sent
---
Certificate chain
0 s:CN = cdn.example.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<long string>
-----END CERTIFICATE-----
subject=CN = cdn.example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2963 bytes and written 424 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: <long string>
Session-ID-ctx:
Master-Key: <long string>
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1616045447
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
这意味着在初始连接时 Firefox 会发出安全警告。
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
我查看了这个警告,如果服务器没有按照服务器要求进行装订,Firefox 将停止连接。您可以单击 [重试] 并希望它能够通过。这是一个 30% 的概率。这种行为和警告是我所不希望的。首先,它实际上可以阻止访问该网站。然后它本身就构成了一个安全问题。如果 [重试] 对他们有用,用户将看到此警告并对其产生反感。因此,如果任何网站将来出现安全问题,他们可能会忽略警告并在不知不觉中成为受害者。
这是我的 SSL 服务器块设置:
ssl_certificate "/etc/letsencrypt/live/cdn.example.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/cdn.example.com/privkey.pem";
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam "/etc/letsencrypt/live/dhparam.pem";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_stapling on;
ssl_trusted_certificate "/etc/letsencrypt/live/cdn.example.com/chain.pem";
根据 certbot 生成后的 README 文件:
[cert name]/chain.pem:用于 Nginx >=1.3.7 中的 OCSP 装订。
我从各处阅读了有关如何使用 OCSP 的多个文档,它们表明我已经正确设置了它。我通过 LE 的支持页面收集了一些证书。它们已安装到系统中。默认证书告诉我我有 129 个。添加我的证书后,我有 133 个。
root@vmx:/# ls -lsha /usr/local/share/ca-certificates
example.crt -> /etc/letsencrypt/live/example.com/chain.pem
isrg-root-ocsp-x1.crt -> /etc/letsencrypt/live/isrg-root-ocsp-x1.pem
isrgrootx1.crt -> /etc/letsencrypt/live/isrgrootx1.pem
lets-encrypt-r3.crt -> /etc/letsencrypt/live/lets-encrypt-r3.pem
服务器应该在第一次连接时发送绑定的响应。此外,一旦你忽略 Firefox 警告和页面做加载,你可以运行 openssl 命令来获取:
PS C:\> openssl s_client -connect cdn.example.com:443 -status
CONNECTED(000001A0)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = cdn.example.com
verify return:1
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = R3
Produced At: Mar 16 05:36:00 2021 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: <long string>
Issuer Key Hash: <long string>
Serial Number: <long string>
Cert Status: good
This Update: Mar 16 05:00:00 2021 GMT
Next Update: Mar 23 05:00:00 2021 GMT
Signature Algorithm: sha256WithRSAEncryption
<long string>
======================================
---
Certificate chain
0 s:CN = cdn.example.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
<long string>
-----END CERTIFICATE-----
subject=CN = cdn.example.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3483 bytes and written 424 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: <long string>
Session-ID-ctx:
Master-Key: <long string>
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1616045922
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
现在它神奇地起作用了。所有未来的请求都正常。但是当你清除缓存时,警告又回来了。
查看日志时,我在/var/log/nginx/error.log文件中看到以下内容:
"ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/etc/letsencrypt/live/cdn.example.com/fullchain.pem"
全新体验https://entrust.ssllabs.com/报告如下:
OCSP Must Staple Supported
再次,更多文档说明了这一点应该说:
OCSP Must Staple Yes
我很纠结,不知道我是不是做错了什么,还是有什么问题超出了我的控制范围。我希望这项工作能够可靠地进行这里指出了两个原因。
答案1
经过更多的阅读和反复试验,我终于在一个月前解决了这个问题。然后我才想起我在这里问过。
这些说明是使用 Let's Encrypt 编写的。完成后,运行 SSL 测试进行验证。https://www.ssllabs.com/ssltest/- 你应该得到 A+。
确保 NGINX 未运行。如果正在运行,请停止它systemctl stop nginx。获取您的证书:
apt install certbotcertbot certonly --uir --hsts --staple-ocsp --must-staple -d yourdomain.com
当被询问时启动一个临时的网络服务器。
生成德帕拉姆在您的/etc/letsencrypt/live目录中。
openssl dhparam -dsaparam -out /etc/letsencrypt/live/dhparam.pem 4096
对于您的域.vhost或.conf文件,请将其镜像为 SSL(443)块:
ssl_certificate "/etc/letsencrypt/live/yourdomain.com/fullchain.pem";
ssl_certificate_key "/etc/letsencrypt/live/yourdomain.com/privkey.pem";
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_dhparam "/etc/letsencrypt/live/dhparam.pem";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000" always;
ssl_stapling on;
ssl_trusted_certificate "/etc/letsencrypt/live/yourdomain.com/chain.pem";
不要包括TLSv1.0或TLSv1.1于ssl_protocols。
如果你设置了解析器,超时必须>= 30 秒。
如果您的服务器重新启动(或者仅重新启动 NGINX),则首次有人连接到您的站点时,OCSP 装订将不存在。NGINX 将在日志中留下错误。这是软件限制。NGINX 不会自动准备启用 OCSP 装订的缓存。为此,您可以设置一个作业在启动后几分钟cron运行。如果您重新启动 NGINX,您可以手动运行该命令。第一次运行opensslopenssl才不是主食,第二次运行做主食。如果想更简单,只需在服务器或 NGINX 准备就绪后立即访问该网站即可。
任何人随后对您网站的访问都将被记录下来。您将不会再在日志中看到错误消息。