Opened 7 years ago

Closed 6 years ago

#553 closed defect (worksforme)

OCSP stapling does not work when the OCSP server has a CNAME

Reported by: www.google.com/accounts/o8/id?id=AItOawnljTXWIu91q1P8AwBHNny0iJcGROHqUz8 Owned by:
Priority: major Milestone: 1.7
Component: nginx-core Version: 1.5.x
Keywords: Cc:
uname -a: SunOS starvald 5.11 oi_151a7 i86pc i386 i86pc
nginx -V: nginx version: nginx/1.7.0
built by gcc 4.8.2 (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local --conf-path=/usr/local/etc/nginx --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-select_module --with-poll_module --with-http_stub_status_module --with-http_gzip_static_module --without-http_scgi_module --without-http_uwsgi_module --with-cc-opt='-I/usr/local/include -I/usr/local/ssl/include -DNGINX_DTRACE=1' --with-ld-opt='-L /usr/local/lib -L /usr/local/ssl/lib' --error-log-path=/tmp/nginx_error.log --with-http_spdy_module --with-http_auth_request_module --add-module=/home/majid/apsalar/lib/aphash --add-module=/home/majid/apsalar/lib/http_success

Description

I am trying to enable OCSP Stapling on a server with a RapidSSL (Geotrust) SSL certificate. The OCSP responder for the cert is rapidssl-ocsp.geotrust.com, which is CNAME-ed to Akamai as follows:

starvald ~/web/conf>dig a rapidssl-ocsp.geotrust.com

; <<>> DiG 9.6-ESV-R7-P3 <<>> a rapidssl-ocsp.geotrust.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61334
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rapidssl-ocsp.geotrust.com.    IN      A

;; ANSWER SECTION:
rapidssl-ocsp.geotrust.com. 0   IN      CNAME   ocsp.ws.symantec.com.edgekey.net.
ocsp.ws.symantec.com.edgekey.net. 0 IN  CNAME   e8218.ce.akamaiedge.net.
e8218.ce.akamaiedge.net. 20     IN      A       23.5.251.27

;; Query time: 1141 msec
;; SERVER: 10.0.0.28#53(10.0.0.28)
;; WHEN: Wed Apr 30 18:03:57 2014
;; MSG SIZE  rcvd: 140

I see in my error logs, with both nginx 1.5.13 and 1.7.0, the error message:

2014/04/30 17:48:22 [error] 20014#0: rapidssl-ocsp.geotrust.com could not be resolved (145: Operation timed out) while requesting certificate status, responder: rapidssl-ocsp.geotrust.com

If I change my local DNS caching server to send back directly an A record for rapidssl-ocsp.geotrust.com, I no longer see the error. Of course, that is not a viable strategy on a production web server as Geotrust or Akamai may change its OCSP responders' IP over time.

starvald ~majid/build#grep ocsp /etc/unbound/unbound.conf
        local-data:     "rapidssl-ocsp.geotrust.com. A 23.5.251.27"

starvald ~/web/conf>dig a rapidssl-ocsp.geotrust.com

; <<>> DiG 9.6-ESV-R7-P3 <<>> a rapidssl-ocsp.geotrust.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9633
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rapidssl-ocsp.geotrust.com.    IN      A

;; ANSWER SECTION:
rapidssl-ocsp.geotrust.com. 3600 IN     A       23.5.251.27

;; Query time: 0 msec
;; SERVER: 10.0.0.28#53(10.0.0.28)
;; WHEN: Wed Apr 30 18:02:11 2014
;; MSG SIZE  rcvd: 60

It can't be an error related to DNS timeouts, as the A record is supplied at the same time as the CNAME by the DNS server, and thus no additional lookup should be necessary. Most likely, nginx just can't deal with the DNS response if it has a CNAME instead of the expected A (or AAAA?). Or perhaps it is the 2 CNAME hops that are throwing nginx off.

Change History (2)

comment:1 by frankbb.pip.verisignlabs.com, 7 years ago

Did you define a resolver in your nginx config?

For the OCSP stapling to work, the certificate of the server certificate issuer should be known. If the ssl_certificate file does not contain intermediate certificates, the certificate of the server certificate issuer should be present in the ssl_trusted_certificate file.

For a resolution of the OCSP responder hostname, the resolver directive should also be specified.

comment:2 by Maxim Dounin, 6 years ago

Resolution: worksforme
Status: newclosed

Most likely reason for the problem you are seeing is broken AAAA address resolution somewhere in your setup. Your nginx is compiled with IPv6 and will try to resolve both A and AAAA addresses, and the message indicate that one of the DNS request (either for A or AAAA records) times out.

I've just tested with OCSP responder set to rapidssl-ocsp.geotrust.com, and it resolves fine here without any problems.

Note: See TracTickets for help on using tickets.