OCSP must staple nginx configuration

berbec · Apr 2, 2018, 1:34 PM

Good morning all.

I use Letsencrypt wildcard certificates and have installed them into my pfSense box. I get an error in Mozilla Firefox when connecting:

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

This indicates an error with the pfSense box's OCSP stapling response (https://support.mozilla.org/en-US/questions/1149911). When requesting the certificate through acme.sh, I have used the –ocsp-must-staple option. Since I assign my pfSense box an internal DNS entry with the domain listed in the certificate, my browser expects an OCSP response.

I checked the OCSP response thusly:

[berbec@server]$ openssl s_client -connect pfsense.example.com:443 -status < /dev/null"
-snip-
                OCSP response: no response sent
-snip-

Because my certificate is issued with must staple, and Firefox had gone to a site with one of my domains previously, and it got the OCSP must staple directive for my main domain, it applies it to all subdomains, including the pfSense box.

There are a few modifications needed to pfSense's configuration to make OCSP stapling work.

1. Four lines need to be added to /var/etc/nginx-webConfigurator.conf

                ssl_stapling on;
                ssl_stapling_verify on;
                resolver 8.8.8.8 1.1.1.1 valid=300s;
                resolver_timeout 5s;

2. The certificate uploaded to through the GUI has to be the full certificate chain, including the CA cert; not just the certificate.

You can also upload the CA certificate seperately, and add an additional line to the nginx configuration:

ssl_trusted_certificate /var/etc/ca.crt;

But I find just uploading the fullchain certificate to be easier.

Having made these changes, I receive the following response from the above openssl command:

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Mar 31 08:00:00 2018 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: blhalbah
      Issuer Key Hash: foobar
      Serial Number: barfoo
    Cert Status: good
    This Update: Mar 31 08:00:00 2018 GMT
    Next Update: Apr  7 08:00:00 2018 GMT

My question is how can I ensure this sticks? I know editing the configuration manually is a bad idea, but I needed to get this working and did not want to disable stapling in Firefox. I currently have my Letsencrypt deployment hook upload, via SCP, the new certs and a copy of the working nginx configuration, but this is not ideal. What would be perfect is a option somewhere to enable OCSP stapling in the webUI.

Thanks for you time.

jimp · Apr 2, 2018, 3:28 PM

If you want that to stick, you will need to add those lines into the code that generates the nginx configuration.

We looked into doing OCSP stapling a couple years ago and decided against it since the web server is not a public server, nor is it high traffic.

We may change that stance eventually, but at the moment I don't see any compelling argument in favor of adding it yet.

berbec · Apr 2, 2018, 3:34 PM

I'm perfectly fine with the setup I have for myself. SCPing over the config file and restarting nginx doesn't bother me. I just thought it might benifit the community. Anyone who uses must staple will run into this, and with LetsEncrypt making wildcard certs available, this may become a more common issue. I believe you can get around it by going to the machine by IP.

Where would I find the nginx config generation files? Am I correct in assuming it's i /etc/inc/system.inc -```
function system_generate_nginx_config()

jimp · Apr 2, 2018, 3:42 PM

Yes, that is the correct function. If you keep the original file and then make a diff/patch from that to apply your changes, you can use the system patches package to maintain your alterations rather than redoing them after every update.

Generally speaking people using ACME/LE certs with pfSense will be using the pfSense ACME package to generate them, and we don't have an option for OSCP stapling in there, yet, either. So in terms of use with pfSense, probably not as common.

berbec · Apr 2, 2018, 3:46 PM

OK It's a small diff.

berbec · Apr 2, 2018, 4:44 PM

@jimp:

Yes, that is the correct function. If you keep the original file and then make a diff/patch from that to apply your changes, you can use the system patches package to maintain your alterations rather than redoing them after every update.

Generally speaking people using ACME/LE certs with pfSense will be using the pfSense ACME package to generate them, and we don't have an option for OSCP stapling in there, yet, either. So in terms of use with pfSense, probably not as common.

Understandable. I know this is a low priority, so I wrote teh code myself.

I've submitted a feature request https://redmine.pfsense.org/issues/8418

I've submitted a pull request https://github.com/pfsense/pfsense/pull/3927