Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OCSP must staple nginx configuration

    Scheduled Pinned Locked Moved webGUI
    6 Posts 2 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      berbec
      last edited by

      Good morning all.

      I use Letsencrypt wildcard certificates and have installed them into my pfSense box. I get an error in Mozilla Firefox when connecting:

      MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
      

      This indicates an error with the pfSense box's OCSP stapling response (https://support.mozilla.org/en-US/questions/1149911). When requesting the certificate through acme.sh, I have used the –ocsp-must-staple option. Since I assign my pfSense box an internal DNS entry with the domain listed in the certificate, my browser expects an OCSP response.

      I checked the OCSP response thusly:

      [berbec@server]$ openssl s_client -connect pfsense.example.com:443 -status < /dev/null"
      -snip-
                      OCSP response: no response sent
      -snip-
      

      Because my certificate is issued with must staple, and Firefox had gone to a site with one of my domains previously, and it got the OCSP must staple directive for my main domain, it applies it to all subdomains, including the pfSense box.

      There are a few modifications needed to pfSense's configuration to make OCSP stapling work.

      1. Four lines need to be added to /var/etc/nginx-webConfigurator.conf

                      ssl_stapling on;
                      ssl_stapling_verify on;
                      resolver 8.8.8.8 1.1.1.1 valid=300s;
                      resolver_timeout 5s;
      

      2. The certificate uploaded to through the GUI has to be the full certificate chain, including the CA cert; not just the certificate.

      You can also upload the CA certificate seperately, and add an additional line to the nginx configuration:

      ssl_trusted_certificate /var/etc/ca.crt;
      

      But I find just uploading the fullchain certificate to be easier.

      Having made these changes, I receive the following response from the above openssl command:

      OCSP response:
      ======================================
      OCSP Response Data:
          OCSP Response Status: successful (0x0)
          Response Type: Basic OCSP Response
          Version: 1 (0x0)
          Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
          Produced At: Mar 31 08:00:00 2018 GMT
          Responses:
          Certificate ID:
            Hash Algorithm: sha1
            Issuer Name Hash: blhalbah
            Issuer Key Hash: foobar
            Serial Number: barfoo
          Cert Status: good
          This Update: Mar 31 08:00:00 2018 GMT
          Next Update: Apr  7 08:00:00 2018 GMT
      

      My question is how can I ensure this sticks? I know editing the configuration manually is a bad idea, but I needed to get this working and did not want to disable stapling in Firefox. I currently have my Letsencrypt deployment hook upload, via SCP, the new certs and a copy of the working nginx configuration, but this is not ideal. What would be perfect is a option somewhere to enable OCSP stapling in the webUI.

      Thanks for you time.

      1 Reply Last reply Reply Quote 1
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you want that to stick, you will need to add those lines into the code that generates the nginx configuration.

        We looked into doing OCSP stapling a couple years ago and decided against it since the web server is not a public server, nor is it high traffic.

        We may change that stance eventually, but at the moment I don't see any compelling argument in favor of adding it yet.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B
          berbec
          last edited by

          I'm perfectly fine with the setup I have for myself. SCPing over the config file and restarting nginx doesn't bother me. I just thought it might benifit the community. Anyone who uses must staple will run into this, and with LetsEncrypt making wildcard certs available, this may become a more common issue. I believe you can get around it by going to the machine by IP.

          Where would I find the nginx config generation files? Am I correct in assuming it's i /etc/inc/system.inc -```
          function system_generate_nginx_config()

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Yes, that is the correct function. If you keep the original file and then make a diff/patch from that to apply your changes, you can use the system patches package to maintain your alterations rather than redoing them after every update.

            Generally speaking people using ACME/LE certs with pfSense will be using the pfSense ACME package to generate them, and we don't have an option for OSCP stapling in there, yet, either. So in terms of use with pfSense, probably not as common.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • B
              berbec
              last edited by

              OK It's a small diff.

              1 Reply Last reply Reply Quote 0
              • B
                berbec
                last edited by

                @jimp:

                Yes, that is the correct function. If you keep the original file and then make a diff/patch from that to apply your changes, you can use the system patches package to maintain your alterations rather than redoing them after every update.

                Generally speaking people using ACME/LE certs with pfSense will be using the pfSense ACME package to generate them, and we don't have an option for OSCP stapling in there, yet, either. So in terms of use with pfSense, probably not as common.

                Understandable. I know this is a low priority, so I wrote teh code myself.

                I've submitted a feature request https://redmine.pfsense.org/issues/8418

                I've submitted a pull request https://github.com/pfsense/pfsense/pull/3927

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.