Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

bad signature because OCSP stapling not activated in the nginx config file

Description

Most browsers currently have the stapling check set to true

e.g. Firefox/Chrome security.ssl.enable_ocsp_stapling = true

As a result, even if the certificate is valid, the browser still throws "SEC_ERROR_OCSP_BAD_SIGNATURE".

cause : stapling is not uncommented in the nginx config file when the certificate is configured.

ssl_stapling on;
ssl_stapling_verify on;

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Bug Clerk March 1, 2021 at 9:12 AM

Jan November 5, 2020 at 4:31 PM

If openssl version is 1.1.0 or higher :

1.3.6.1.5.5.7.1.24 can be replaced by "_tlsfeature = status_request_" in the CSR

 

I have not tested how it shows up in the certificate

 *****

[ v3_req ]

tlsfeature = status_request

Jan November 5, 2020 at 2:04 PM
Edited

I found the cause, but it will require an additional check in the interface.

 

Because I want to use ECDSA key and my DNS provider does not yet support automation, I generated the ACME request manually. As I want to increase the security I also included    --ocsp, (--ocsp-must-staple Generate OCSP-Must-Staple extension). As a result the error I got.

 

So when loading the certificate in the UI, a check must be done on the certificate for the presence of 1.3.6.1.5.5.7.1.24. If it is, then OCSP stapling must be activated in the nginx.conf

 

info from link below

The CSR request can request OCSP_MUST_STAPLE option (PARAM_OCSP_MUST_STAPLE=”yes”). The issued cert will have the parameter  with OID 1.3.6.1.5.5.7.1.24 and an OCSP URI which are shown with

openssl x509 -in cert.pem -text  |grep 1.24

1.3.6.1.5.5.7.1.24:

https://securemachinery.com/2017/10/09/ocsp-validation-and-ocsp-stapling-with-letsencrypt/

 

 

Waqar November 4, 2020 at 7:24 PM

i have been playing with a bit and had a query, can you please let me know why import letsencrypt wild card chain ? Are you using a provider which is not supported by us ? ( we only support AWS at the moment ) Not that using another provider matters, jus trying to reproduce the issue and make sure we don't have a regression from your suggested changes.

Why I ask is that I tested this and I am not seeing an error even though ocsp_stapling is enabled in my browser. So I was curious on how you are reproducing it.

Jan November 4, 2020 at 3:19 PM

To reproduce :

Import letsencrypt wildcard certificate full chain & private key

In General - Select the imported certficate

STEP 1

Connect to the https admin interface

--> bad cert domain

in browser config 

  • set security.ssl.enable_ocsp_stapling = false

refresh page : Browser does not throw an error

 

STEP 2

Connect via SSH to the server.

nano /usr/local/etc/nginx/nginx.conf

remove the comment indicator # in front of 

  • ssl_stapling on;

  • ssl_stapling_verify on;

save & exit nano

service nginx restart

in browser config, set default value again

  • set security.ssl.enable_ocsp_stapling = true

Connect to the https admin interface

  All is OK now

 

Reboot --> hash is again in config file --> bad cert domain re-appears  (or manually put the hash sigh back and restart nginx)

 

Complete

Details

Assignee

Reporter

Labels

Components

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created November 4, 2020 at 8:04 AM
Updated July 1, 2022 at 3:50 PM
Resolved March 2, 2021 at 3:59 PM