How to enable OCSP Stapling on EasyEngine


#1

When OCSP Stapling is disabled, user browser (Firefox) checks to whether a website certificate has been revoked or not. It’s within Online Certificate Status Protocol or OCSP.

It ‘leaks’ user vistis to cert issuer + causing heavy traffick on cert issuer servers + slows down page load since it is additional request. Enabled OCSP Stapling reduces this.

See this article.

How to enable OCSP Stapling:

Add to the end of your /etc/nginx/sites-available/example.com conf this:

...
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    # DNS resolver (Google), not mandatory
    resolver 8.8.8.8 8.8.4.4
}

then

nginx -t
service nginx restart

Use this tool (or this) to see your OCSP Stapling is enabled on your server.


#2

You forgot to add the resolver directive, which allows Nginx to check your cert regularly.

resolver 8.8.8.8 8.8.4.4

This example uses Google DNS, but one can choose the best DNSes for their server.


#3

I have edit post


#4

check:

openssl s_client -connect example.com:443 -tls1 -tlsextdebug -status

what answer?

OCSP Response Data: ...

or:

OCSP response: no response sent

probable cause:

/etc/network/interfaces
settings inet6

check:

ping6 -n -c 4 ipv6.google.com


#5