Benjamin Esham

Setting up OCSP stapling for Let’s Encrypt certificates under nginx

Thanks to a free certificate from Let’s Encrypt, this site is now accessible over SSL.1 Instead of using the official Let’s Encrypt client to obtain the certificate I used letsencrypt-nosudo. This client has a number of advantages: it doesn’t need to run as root, it doesn’t take over port 80 on your server, it doesn’t run continuously in the background, and it doesn’t touch your server configuration. The only thing I missed from the official client was setting up OCSP stapling, which the official client will do but letsencrypt-nosudo won’t. Through some trial and error I figured out which certificates need to go where in order to get stapling working from nginx.

These commands assume that you’re working in the directory that contains your nginx configuration (usually /etc/nginx) and that there’s already a directory there called “ssl”.

  1. Figure out which of the Let’s Encrypt certificates was used to sign your certificate.

    From the command line, run the command

    openssl x509 -noout -text -in ssl/signed.crt | grep Issuer:
    

    replacing “ssl/signed.crt” with the path to the certificate you just obtained. (The openssl command prints a bunch of somewhat-human-readable information about the certificate; the grep command extracts the line we care about.) The output will be something like

    Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    

    That last bit (“Let's Encrypt Authority X3”) is the name of the Let’s Encrypt certificate that was used to sign your new certificate.

  2. Download that certificate in PEM format.

    You need to download the PEM version of this certificate. You can find all of the Let’s Encrypt intermediate certificates on the Let’s Encrypt site; click on the “PEM” link for the appropriate certificate to get the file you need. Or, from the command line,

    wget -O ssl/chain.pem "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
    

    replacing “x3” with a different certificate name if necessary.

  3. Point nginx to this file as the “trusted certificate”.

    In your nginx.conf file, add these directives to the same block that contains your other ssl directives:

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ssl/chain.pem;
    

Make sure you verify your setup using sudo nginx -t. If the test is successful, restart nginx (e.g. using sudo nginx -s reload) and you should be up and running with OCSP stapling! You can test your server using the instructions in this guide from DigitalOcean.

  1. It’s actually no longer available over unencrypted HTTP. I share Brent Simmons’s ambivalence (see the “http deprecation” section) about the shift toward HTTPS, but I also can’t deny that the shift is happening more and more quickly (due in no small part to Let’s Encrypt). ↩︎