Opened 9 years ago
Closed 9 years ago
#865 closed defect (invalid)
OCSP (ssl module)
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | nginx-module | Version: | 1.4.x |
| Keywords: | ssl, ocsp | Cc: | |
| uname -a: | Linux rutracker.space 3.13.0-68-generic #111-Ubuntu SMP Fri Nov 6 18:17:06 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04) TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-auth-pam --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-echo --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/nginx-upstream-fair --add-module=/build/nginx-vKB75B/nginx-1.4.6/debian/modules/ngx_http_substitutions_filter_module |
||
Description
Hello.
I have bought an SSL certificate (Comodo PositiveSSL) using namecahep.com service and configured nginx webserver for domain s.rutracker.space (https://s.rutracker.space/).
SSL check status is A+: https://www.ssllabs.com/ssltest/analyze.html?d=s.rutracker.space. Another ssl checker: https://www.sslchecker.com/sslchecker?su=7198874d48aff28a909a5beb3422170d.
But in nginx log i saw "2015/12/20 22:54:55 [error] 15300#0: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com". Namecheap support told me that OCSP doesn't work and they was trying to find a solution for an hour. Comodo support recommends me to follow this instruction: https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/1015/0/.
Seems everything should works but it doesn't.
nginx config:
resolver_timeout 10s;
resolver 8.8.8.8;
server {
listen 443 deferred spdy ssl;
listen [::]:443 deferred spdy ssl ipv6only=on;
server_name s.rutracker.space;
root /usr/share/nginx/www/rutracker.space;
server_tokens off;
keepalive_timeout 70;
# ssl
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem;
add_header "Strict-Transport-Security" "max-age=31536000";
add_header "X-Frame-Options" "SAMEORIGIN";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-XSS-Protection" "1; mode=block";
location / {
try_files $uri $uri/ /tmp.txt =404;
}
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
location ~ ~$ {
access_log off;
log_not_found off;
deny all;
}
}
Change History (4)
comment:1 by , 9 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 9 years ago
Disabling of "ssl_stapling_verify" directive doesn't make sense:
015/12/22 20:00:52 [error] 5464#0: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder: ocsp.comodoca.com
Comodo gives me full-chain certificates, that is in "ssl_trusted_certificate". https://support.comodo.com/index.php?/Knowledgebase/Article/GetAttachment/979/1056459
comment:3 by , 9 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
comment:4 by , 9 years ago
| Resolution: | → invalid |
|---|---|
| Status: | reopened → closed |
If you are using an old OpenSSL library, you may be facing an old OpenSSL bug described in ticket #556. Fix is to either upgrade OpenSSL or to make sure issuer certificate is available in the certificate chain, as described in docs.
Please use support options available if you need further help. Trac is to track bugs, it's a wrong place to ask for help with configuration.
The OCSP response returned is signed by a certificate which is not present in your trusted list. This may happen if:
ssl_trusted_certificatedoesn't contain needed certificates;Either way, doesn't looks like an nginx bug. If in doubt, switch off
ssl_stapling_verify.