Nginx

讓我們加密 - nginx - OCSP 裝訂

  • February 21, 2016

我想在我的 nginx 伺服器中啟用 OCSP 裝訂。我正在使用

  • nginx版本:nginx/1.6.2
  • Debian
  • 讓我們加密證書

我對這件事真的沒有經驗,所以這可能是一個微不足道的問題。

這是我的 nginx 安全配置

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_session_cache shared:SSL:10m;
   ssl_dhparam /etc/ssl/private/dhparams_4096.pem;

這是我的站點/伺服器安全配置:

   add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

   # All files have been generated by Let's encrypt
   ssl_certificate /etc/letsencrypt/live/myexample.org/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/myexample.org/privkey.pem;

   # Everything below this line was added to enable OCSP stapling
   # What is that (generated file) and is that required at all?
   ssl_trusted_certificate /etc/letsencrypt/live/myexample.org/chain.pem;

   ssl_stapling on;
   ssl_stapling_verify on;
   resolver 8.8.8.8 8.8.4.4 valid=300s;
   resolver_timeout 5s;

我讀到這足以啟用 OCSP 裝訂。

但是如果我使用

openssl s_client -connect myexample.org:443 -tls1 -tlsextdebug -status

我會得到以下回复:

TLS server extension "renegotiation info" (id=65281), len=1
0001 - <SPACES/NULS>
TLS server extension "EC point formats" (id=11), len=4
0000 - 03 00 01 02                                       ....
TLS server extension "session ticket" (id=35), len=0
TLS server extension "heartbeat" (id=15), len=1
0000 - 01                                                .
OCSP response: no response sent
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=myexample.org
  i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
  i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
[...]

尤其

OCSP response: no response sent

我究竟做錯了什麼?

證書層次結構:

  • DST 根 CA X3

    • 讓我們加密權威 X1

      • myexample.org

編輯:

OCSP: URI: http://ocsp.int-x1.letsencrypt.org/
CA-Issuer: URI: http://cert.int-x1.letsencrypt.org/

我根據在那裡找到的教程找到了解決方案:

cd /etc/ssl/private
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem https://letsencrypt.org/certs/letsencryptauthorityx1.pem https://www.identrust.com/certificates/trustid/root-download-x3.html | tee -a ca-certs.pem> /dev/null

並將其添加到您的站點/伺服器配置中

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;

重新載入你的配置

重要提示:打開您的瀏覽器並訪問您的網頁一次。

然後你可以使用這個 cmd 在本地測試你的伺服器:

openssl s_client -connect myexample.org:443 -tls1 -tlsextdebug -status

您很可能會得到這樣的有效回复

OCSP response:
======================================
OCSP Response Data:
   OCSP Response Status: successful (0x0)
   Response Type: Basic OCSP Response
   Version: 1 (0x0)
   Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1

不要擔心,如果你得到一個

Verify return code: 20 (unable to get local issuer certificate)

同樣在底部**,** Let’s encrypt 證書尚未在預設的受信任證書儲存中。(我沒有太多的ssl經驗,所以我可能錯了)

如果您在伺服器上執行以下 cmd,則不會顯示該錯誤:

openssl s_client -CApath /etc/ssl/private/ -connect myexample.org:443 -tls1 -tlsextdebug -status

之後,您可以使用以下方法測試您的伺服器:

https://www.digicert.com/help/

請注意,現在 ssllabs 測試不會獲取 OCSP 響應。我認為這是因為 Let’s encrypt 證書尚未在預設的受信任證書儲存中。

按照標準的 nginx 設置,您不需要指定ssl_trusted_certificate鏈。以下內容就足夠了:

ssl_certificate /etc/letsencrypt/live/myexample.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myexample.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;

有關更多上下文,請參見此處

引用自:https://unix.stackexchange.com/questions/259430

相關問答

Nginx

使用 docker-compose 在一個虛擬機中安裝 gitlab,該代理在另一個虛擬機中添加 https

  • March 27, 2022
檢視問答
Linux

Nginx記憶體SSL證書?

  • December 14, 2021
檢視問答
Nginx

無法獲取本地頒發者證書(但我信任的 CA 證書商店似乎還可以)

  • July 30, 2021
檢視問答
Nginx

如何在路由器(用於 Nginx)上獲取 IETF RFC7919 推薦的 DH 參數文件?

  • April 15, 2021
檢視問答
Curl

openssl 命令通過 ip 而不是主機名查詢 NGINX

  • February 18, 2021
檢視問答
Nginx

如果我更新我的安全證書,我是否需要重新啟動 Nginx?

  • February 4, 2021
檢視問答