So it took me a while to figure out why OCSP Stapling wasn’t working on the server I’m building with Adam. I figured I’d write down what I found here to sort of cover my problems. This is by no means a comprehensive list or solution, just what I found worked for me.
It seems that for OCSP to work properly you need to include it in the default server block.
In /etc/nginx/sites-enabled/default:
server {
listen 443;
server_name _;
ssl on;
ssl_stapling on;
ssl_certificate /etc/nginx/certs/your_cert.pem;
ssl_certificate_key /etc/nginx/certs/your_cert.key;
}
For whatever reason this wasn’t working alone for me, so I also added ssl_stapling on; to the http block in /etc/nginx/nginx.conf
Now OCSP seems to be working correctly on my other subdomains, this appears to be due to a limitation with openssl tests not allowing SNI.
You can test your own OCSP Stapling status using the following command:
openssl s_client -connect your.site:443 -tls1 -tlsextdebug -status
It appears that on the first load it’s not necessarily cached, so try running the command twice back to back to confirm whether you see:
OCSP response: no response sent
or:
OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Oct 18 00:36:24 2014 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: FD9BEFA92F8BEBCE721B67BED87783E3 Cert Status: good This Update: Oct 18 00:36:24 2014 GMT Next Update: Oct 22 00:36:24 2014 GMT