Why OCSP stapling on NGINX for "buypass" DV certs fails without explicit root declaration?

nginx lets-encrypt certbot x509

Solution 1:

Update

It turns out that OpenSSL does not correctly handle OCSP responses signed by a designated authority (not the issuer). Although RFC 6960 explicitly denotes that an OCSP response should be verified using only the issuer cert (which also certifies the designated authority), OpenSSL does not abide by this and requires you to explicitly include the root certificate. If you use the CLI this happens automatically (use a combination of -CAfile and -noCApath to verify this!).

Original answer

It took me a fairly long time to figure this out! The problem is not NGINX but OpenSSL. I have found out that if the the OCSP is signed by a designated responder (see RFC 6960), whose certificate is included in the OCSP response, OpenSSL fails to regard this additional certificate when verifying the response. I cannot exactly say why this problem does not arise when using the OpenSSL OCSP CLI (i.e., openssl ocsp -issuer x -cert y -url z).

Related

CloudFormation: How to get a list of key pairs in a given region
Nginx Redirect regex
Traefik SSL for a service that runs on non-standard port
I have an internal PKI with a shared root CA, and multiple intermediate CAs, how do I make anything issued by any intermediate CA to trust everything?
Security issue with pg_hba.conf
Domain blocked by ISP
Http 500 internal server error on MVC3 deployment
Identifying saturated disks on CentOS 8
Change alias of Exchange Online mailbox
How to troubleshoot network flows across peered VPC
nftables mangling without NOTRACK: what can happen?
Why Spark writes Null in DeltaLake Table