我想在我的 nginx 服务器中启用 OCSP 装订。我在用着
- nginx版本:nginx/1.6.2
- 德比安
- 让我们加密证书
我在这件事上真的没有经验,所以这可能是一个微不足道的问题。
这是我的 nginx 安全配置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
这是我的站点/服务器安全配置:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# All files have been generated by Let's encrypt
ssl_certificate /etc/letsencrypt/live/myexample.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myexample.org/privkey.pem;
# Everything below this line was added to enable OCSP stapling
# What is that (generated file) and is that required at all?
ssl_trusted_certificate /etc/letsencrypt/live/myexample.org/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
我读到这足以启用 OCSP 装订。
但如果我用它来测试它
openssl s_client -connect myexample.org:443 -tls1 -tlsextdebug -status
我会得到以下回复:
TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02 ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01 .
OCSP response: no response sent
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=myexample.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
[...]
尤其
OCSP response: no response sent
我究竟做错了什么?
证书层次结构:
- DST 根 CA X3
- 让我们加密权限 X1
- myexample.org
- 让我们加密权限 X1
编辑:
OCSP: URI: http://ocsp.int-x1.letsencrypt.org/
CA-Issuer: URI: http://cert.int-x1.letsencrypt.org/
答案1
按照标准 nginx 设置,您不需要指定ssl_trusted_certificate
链。以下内容应该足够了:
ssl_certificate /etc/letsencrypt/live/myexample.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myexample.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
看这里了解更多背景信息。
答案2
我根据我找到的教程找到了解决方案那里:
cd /etc/ssl/private
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem https://letsencrypt.org/certs/letsencryptauthorityx1.pem https://www.identrust.com/certificates/trustid/root-download-x3.html | tee -a ca-certs.pem> /dev/null
并将其添加到您的站点/服务器配置中
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
重新加载您的配置
重要提示:打开您的浏览器并访问您的网页一次。
然后您可以使用以下命令在本地测试您的服务器:
openssl s_client -connect myexample.org:443 -tls1 -tlsextdebug -status
您很可能会得到这样的有效回复
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
如果您得到一个,请不要担心
Verify return code: 20 (unable to get local issuer certificate)
在底部还有,Let's encrypt 证书尚未位于默认受信任证书存储中。 (我没有太多的ssl经验,所以我可能是错的)
如果在服务器上执行以下cmd,则不会出现该错误:
openssl s_client -CApath /etc/ssl/private/ -connect myexample.org:443 -tls1 -tlsextdebug -status
之后,您可以使用以下命令测试您的服务器:
https://www.digicert.com/help/
请注意,目前 ssllabs 测试不会获取 OCSP 响应。我认为这是因为“让我们加密”证书尚未位于默认的受信任证书存储中。