Configuring OCSP

[pikausp]

Information

https://whatismybrowser.com/w/QCB7F49

Help request

Problem

OCSP is not enabled after using the generated configuration. Multiple tools (digicert helpers, ssllabs, openssl) report that OCSP is disabled. I made sure I was checking this on subsequent requests due to asynchronicity of the OCSP fetch.

What I have tried

The OCSP stapling configured in the nginx.conf

# OCSP Stapling
ssl_stapling           on;
ssl_stapling_verify    on;
resolver               1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout       2s;

The trusted certificate configured in the server block (some systems might require this when ssl_stapling_verify is on)

ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

[YashasviChaurasia]

I would like to work on this issue.
Could you please elaborate on the issue and assign it to me?
Thank you.

[MattIPv4]

👋 @YashasviChaurasia Happy to assign this to you -- I believe this issue involves doing some investigation work into why exactly the referenced tooling reports that OCSP is disabled when the configuration generated by the tool includes OCSP.

[YashasviChaurasia]

@MattIPv4

 When enabling and/or configuring OCSP Stapling on your servers, keep in mind that the OCSP request from your server to the CA must be allowed access through your firewall 

have we checked this?

[MattIPv4]

I have not investigated this, no. This issue is to investigate what is happening, which may mean you need to setup a test NGINX server to see if OCSP is working, and why it isn't if it isn't.

[YashasviChaurasia]

How would I submit PR for this issue? I would like this issue to add up to my hacktoberfest PRs.
I would work on this issue anyways but is there a way in which I can make it count?

[MattIPv4]

If there is a bug in how we configure OCSP in the tool, then there'd be a need for a PR to fix that. But first, investigation needs to be done to see if the tool actually causes OCSP to not work, or if the issue is unrelated to the config the tool produces.