在 NginX 上为证书配置 OCSP Stapling

发表于 2019-01-20   |   分类于 https资料

本文记录的是let x3

首先我们需要找到 OCSP 服务地址:
下面的chained.pem 即网站完整的证书链,包含站点证书,中间证书,根证书

openssl x509 -in /path/chained.pem -text | grep "OCSP - URI:" | cut -d: -f2,3

执行上面代码返回:http://ocsp.int-x3.letsencrypt.org/
接着获取 OCSP 响应并写入 ocsp.resp 文件:

#chain.pem是中级证书
#site.pem是站点申请来的证书
openssl ocsp -no_nonce \
             -respout /path/to/ocsp.resp \
             -issuer /path/to/chain.pem \
             -cert /path/to/site.pem \
             -url http://ocsp.int-x3.letsencrypt.org/ \
             -header "HOST" "ocsp.int-x3.letsencrypt.org"

若运行时报错如下:

Response Verify Failure
140060623058848:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:

报错原因是服务器可能并未信任 LE 的根证书或中间证书;
下面讲怎么解决:
下载相关根证书和中间证书
它们是:

根证书:DST Root CA X3
根证书:ISRG Root X1
中间证书:Let’s Encrypt Authority X1 (分别被上述两个根证书签发)
X1 的候补中间证书:Let’s Encrypt Authority X2
中间证书:Let’s Encrypt Authority X3 (兼容 WinXP)
X3 的候补中间证书:Let’s Encrypt Authority X4

不管采用哪种方式,我们先将证书全部保存到本地。

mkdir -p /path/to/tmp/
cd /path/to/tmp/
curl -o ./DST_Root_CA_X3.pem -L https://ssl-tools.net/certificates/dac9024f54d8f6df94935fb1732638ca6ad77c13.pem
curl -O -L https://letsencrypt.org/certs/isrgrootx1.pem
curl -O -L https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem
curl -O -L https://letsencrypt.org/certs/letsencryptauthorityx3.pem
curl -O -L https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem
curl -O -L https://letsencrypt.org/certs/letsencryptauthorityx4.pem
curl -O -L https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
curl -O -L https://letsencrypt.org/certs/letsencryptauthorityx1.pem
curl -O -L https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem
curl -O -L https://letsencrypt.org/certs/letsencryptauthorityx2.pem

生成专用的 ca-bundle.pem

cat /path/to/tmp/*.pem > /path/to/certs/ca-bundle.pem
#特别注意:
#let x2.pem 文件为 Dos 格式,x3不用管。
#会导致 concat 后 PEM 格式错误,
#请尝试将其转换为 Unix 格式(末尾增加换行)后重新生成 Bundle 。

再次尝试缓存 ocsp.resp 文件
此时再执行:

openssl ocsp -no_nonce \
             -respout /path/to/ocsp.resp \
             -issuer /path/to/chain.pem \
             -cert /path/to/site.pem \
             -CAfile /path/to/certs/ca-bundle.pem \
             -VAfile /path/to/certs/ca-bundle.pem \
             -url http://ocsp.int-x3.letsencrypt.org/ \
             -header "HOST" "ocsp.int-x3.letsencrypt.org"

注意新增的 -CAfile 和 -VAfile 参数,这2个就上面提到的专用文件

若无其它意外,
你会看到如下结果:

Response verify OK
/path/to/certs/quchao.com/chained.pem: good
    This Update: Jan 17 06:00:00 2016 GMT
    Next Update: Jan 24 06:00:00 2016 GMT

证明 OCSP 请求缓存成功,
且告知了过期时间。
启用 OCSP Stapling,在nginx站点的ssl配置中添加下面代码

ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /etc/letsencrypt/live/blog.zbusa.com/ocsp.resp;

重载nginx配置文件

service nginx reload

执行如下命令测试:

echo QUIT | openssl s_client -connect blog.zbusa.com:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

若得到类似 OCSP Response Status: successful 的答复即算成功。

© 2019 Powered by Typecho & Theme Quark