Benjamin Esham

Close call

1.3 billion years ago, two black holes were locked together in a death spiral. Rotating around each other at two thirds the speed of light, separated only by the distance between London and Paris, they quickly and violently merged into a single black hole. Its mass was less than the combined mass of the original ones; the leftover energy was blasted out in all directions in the form of a gravitational wave.

Meanwhile, on Earth, the Rodinia supercontinent was home to nothing more than single-celled organisms. Life slowly grew in complexity; the continents separated; the dinosaurs arose; the continents recombined; the dinosaurs died out. When the gravitational waves had traveled 99.985% of the way to Earth humans appeared. Over hundreds of millenia we developed language, agriculture, philosophy, mathematics, and science.

Mystical explanations for the natural world slowly gave ground to empiricism. Newton developed a theory of gravity and Einstein later refined it, predicting that some moving objects would radiate waves of gravitational energy. Almost a century later, the LIGO experiment began to look for these waves. After seeing nothing for five years the detectors were taken offline and upgraded; they saw nothing again and were taken offline and upgraded again.

They were brought back online last February and in September they detected the gravitational waves from the merging black holes. The waves had been traveling for 1,300,000,000 years — since before humans existed — and they passed through our detector seven months after we turned it on.

Setting up OCSP stapling for Let’s Encrypt certificates under nginx

Thanks to a free certificate from Let’s Encrypt, this site is now accessible over SSL.1 Instead of using the official Let’s Encrypt client to obtain the certificate I used letsencrypt-nosudo. This client has a number of advantages: it doesn’t need to run as root, it doesn’t take over port 80 on your server, it doesn’t run continuously in the background, and it doesn’t touch your server configuration. The only thing I missed from the official client was setting up OCSP stapling, which the official client will do but letsencrypt-nosudo won’t. Through some trial and error I figured out which certificates need to go where in order to get stapling working from nginx.

These commands assume that you’re working in the directory that contains your nginx configuration (usually /etc/nginx) and that there’s already a directory there called “ssl”.

  1. Figure out which of the Let’s Encrypt certificates was used to sign your certificate.

    From the command line, run the command

    openssl x509 -noout -text -in ssl/signed.crt | grep Issuer:
    

    replacing “ssl/signed.crt” with the path to the certificate you just obtained. (The openssl command prints a bunch of somewhat-human-readable information about the certificate; the grep command extracts the line we care about.) The output will be something like

    Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    

    That last bit (“Let's Encrypt Authority X3”) is the name of the Let’s Encrypt certificate that was used to sign your new certificate.

  2. Download that certificate in PEM format.

    You need to download the PEM version of this certificate. You can find all of the Let’s Encrypt intermediate certificates on the Let’s Encrypt site; click on the “PEM” link for the appropriate certificate to get the file you need. Or, from the command line,

    wget -O ssl/chain.pem "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
    

    replacing “x3” with a different certificate name if necessary.

  3. Point nginx to this file as the “trusted certificate”.

    In your nginx.conf file, add these directives to the same block that contains your other ssl directives:

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ssl/chain.pem;
    

Make sure you verify your setup using sudo nginx -t. If the test is successful, restart nginx (e.g. using sudo nginx -s reload) and you should be up and running with OCSP stapling! You can test your server using the instructions in this guide from DigitalOcean.

  1. It’s actually no longer available over unencrypted HTTP. I share Brent Simmons’s ambivalence (see the “http deprecation” section) about the shift toward HTTPS, but I also can’t deny that the shift is happening more and more quickly (due in no small part to Let’s Encrypt). ↩︎