Opened 9 years ago
Closed 9 years ago
#553 closed defect (worksforme)
OCSP stapling does not work when the OCSP server has a CNAME
|Reported by:||www.google.com/accounts/o8/id?id=AItOawnljTXWIu91q1P8AwBHNny0iJcGROHqUz8||Owned by:|
|uname -a:||SunOS starvald 5.11 oi_151a7 i86pc i386 i86pc|
nginx version: nginx/1.7.0
built by gcc 4.8.2 (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local --conf-path=/usr/local/etc/nginx --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-select_module --with-poll_module --with-http_stub_status_module --with-http_gzip_static_module --without-http_scgi_module --without-http_uwsgi_module --with-cc-opt='-I/usr/local/include -I/usr/local/ssl/include -DNGINX_DTRACE=1' --with-ld-opt='-L /usr/local/lib -L /usr/local/ssl/lib' --error-log-path=/tmp/nginx_error.log --with-http_spdy_module --with-http_auth_request_module --add-module=/home/majid/apsalar/lib/aphash --add-module=/home/majid/apsalar/lib/http_success
I am trying to enable OCSP Stapling on a server with a RapidSSL (Geotrust) SSL certificate. The OCSP responder for the cert is rapidssl-ocsp.geotrust.com, which is CNAME-ed to Akamai as follows:
starvald ~/web/conf>dig a rapidssl-ocsp.geotrust.com ; <<>> DiG 9.6-ESV-R7-P3 <<>> a rapidssl-ocsp.geotrust.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61334 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;rapidssl-ocsp.geotrust.com. IN A ;; ANSWER SECTION: rapidssl-ocsp.geotrust.com. 0 IN CNAME ocsp.ws.symantec.com.edgekey.net. ocsp.ws.symantec.com.edgekey.net. 0 IN CNAME e8218.ce.akamaiedge.net. e8218.ce.akamaiedge.net. 20 IN A 220.127.116.11 ;; Query time: 1141 msec ;; SERVER: 10.0.0.28#53(10.0.0.28) ;; WHEN: Wed Apr 30 18:03:57 2014 ;; MSG SIZE rcvd: 140
I see in my error logs, with both nginx 1.5.13 and 1.7.0, the error message:
2014/04/30 17:48:22 [error] 20014#0: rapidssl-ocsp.geotrust.com could not be resolved (145: Operation timed out) while requesting certificate status, responder: rapidssl-ocsp.geotrust.com
If I change my local DNS caching server to send back directly an A record for rapidssl-ocsp.geotrust.com, I no longer see the error. Of course, that is not a viable strategy on a production web server as Geotrust or Akamai may change its OCSP responders' IP over time.
starvald ~majid/build#grep ocsp /etc/unbound/unbound.conf local-data: "rapidssl-ocsp.geotrust.com. A 18.104.22.168" starvald ~/web/conf>dig a rapidssl-ocsp.geotrust.com ; <<>> DiG 9.6-ESV-R7-P3 <<>> a rapidssl-ocsp.geotrust.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9633 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;rapidssl-ocsp.geotrust.com. IN A ;; ANSWER SECTION: rapidssl-ocsp.geotrust.com. 3600 IN A 22.214.171.124 ;; Query time: 0 msec ;; SERVER: 10.0.0.28#53(10.0.0.28) ;; WHEN: Wed Apr 30 18:02:11 2014 ;; MSG SIZE rcvd: 60
It can't be an error related to DNS timeouts, as the A record is supplied at the same time as the CNAME by the DNS server, and thus no additional lookup should be necessary. Most likely, nginx just can't deal with the DNS response if it has a CNAME instead of the expected A (or AAAA?). Or perhaps it is the 2 CNAME hops that are throwing nginx off.
Change History (2)
comment:1 by , 9 years ago
comment:2 by , 9 years ago
|Status:||new → closed|
Most likely reason for the problem you are seeing is broken AAAA address resolution somewhere in your setup. Your nginx is compiled with IPv6 and will try to resolve both A and AAAA addresses, and the message indicate that one of the DNS request (either for A or AAAA records) times out.
I've just tested with OCSP responder set to rapidssl-ocsp.geotrust.com, and it resolves fine here without any problems.
Did you define a resolver in your nginx config?
For the OCSP stapling to work, the certificate of the server certificate issuer should be known. If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.
For a resolution of the OCSP responder hostname, the resolver directive should also be specified.