Working OCSP Stapling setup with free Wosign Certificate on Nginx

Chinese CA WoSign issues free multi-domain SSL certificates valid for 3 years. You can read some informations on how to get theses free certificates on https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html.
FYI, I received my certificate around 1hour after submission :)

Now, the nginx ssl configuration ! I won’t cover the pure SSL configuration, you can look at mozilla wiki for a “perfect setup”.
Standard procedure, you extract the provided zip, grab the 1_mydomain_bundle.crt and add it to nginx ssl configuration.

I wanted to enable OCSP stapling, for checking the revocation status of X.509 digital certificates on server side.
Basic OCSP checking potentially impairs users’ privacy and slows down browsing, since it requires the client to contact a third party (the CA) to confirm the validity of each certificate that it encounters. With OCSP Stapling, the certificate holder (your servers) queries the OCSP server themselves at regular intervals, obtaining a signed time-stamped OCSP response.
When the site’s visitors attempt to connect to the site, this response is included with the TLS Handshake.

In nginx, the stapling configuration is simple :

ssl_stapling on;
ssl_stapling_verify on;

Then you need to reload nginx. You can now test OCSP response with openssl.

openssl s_client -connect blog.alteroot.org:443 -tls1_2 -tlsextdebug -status

Note: the FIRST client request always has a empty OSCP response, because nginx query the remote OCSP server at the same time. This applies to ALL nginx workers, Nginx uses a per-worker cache of OCSP responses.

Unfortunately, it does not works, and I can see in nginx logs this error :

2015/07/17 11:31:21 [error] 19557#0: OCSP responder sent invalid "Content-Type" header: "text/html" while requesting certificate status, responder: ocsp6.wosign.com

By checking http://ocsp6.wosign.com/ (504 bad gateway), I thought that their OCSP Server was down.
After some investigations, I found this nginx ticket : You need at least Nginx 1.7.4 which fix a bug with uppercase on ngx_escape_uri() !

As I just set up a new server with debian Jessie, I used the default Nginx (1.6.2). So I need to upgrade to 1.8.0 with Dotdeb packages (thanks @gui ;)).

After upgrade to 1.8.0, in Nginx logs :

2015/07/17 11:47:30 [error] 21390#21390: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get local issuer certificate) while requesting certificate status, responder: ocsp6.wosign.com

Yes ! At least nginx can talk to the OCSP server :)

Now, I need to add “trusted” certificate to Nginx.
You need to “cat” StartCom Certification Authority certificate then Wosign one.
Why Startcom ? Because the WoSign root CA is cross-signed by the StartCom CA so it is trusted by every browsers.

The StartCom Certification Authority certificate (Serial 1, PEM format) : https://ssl-tools.net/certificates/1cf30e1-startcom-certification-authority
And WoSign CA certificates (includes in the 1_mydomain_bundle.crt)

The final ssl_trusted_certificate file :

-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MTk0NjM2WhcNMzYwOTE3MTk0NjM2WjB9
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMi
U2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3Rh
cnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUA
A4ICDwAwggIKAoICAQDBiNsJvGxGfHiflXu1M5DycmLWwTYgIiRezul38kMKogZk
pMyONvg45iPwbm2xPN1yo4UcodM9tDMr0y+v/uqwQVlntsQGfQqedIXWeUyAN3rf
OQVSWff0G0ZDpNKFhdLDcfN1YjS6LIp/Ho/u7TTQEceWzVI9ujPW3U3eCztKS5/C
Ji/6tRYccjV3yjxd5srhJosaNnZcAdt0FCX+7bWgiA/deMotHweXMAEtcnn6RtYT
Kqi5pquDSR3l8u/d5AGOGAqPY1MWhWKpDhk6zLVmpsJrdAfkK+F2PrRt2PZE4XNi
HzvEvqBTViVsUQn3qqvKv3b9bZvzndu/PWa8DFaqr5hIlTpL36dYUNk4dalb6kMM
Av+Z6+hsTXBbKWWc3apdzK8BMewM69KN6Oqce+Zu9ydmDBpI125C4z/eIT574Q1w
+2OqqGwaVLRcJXrJosmLFqa7LH4XXgVNWG4SHQHuEhANxjJ/GP/89PrNbpHoNkm+
Gkhpi8KWTRoSsmkXwQqQ1vp5Iki/untp+HDH+no32NgN0nZPV/+Qt+OR0t3vwmC3
Zzrd/qqc8NSLf3Iizsafl7b4r4qgEKjZ+xjGtrVcUjyJthkqcwEKDwOzEmDyei+B
26Nu/yYwl/WL3YlXtq09s68rxbd2AvCl1iuahhQqcvbjM4xdCUsT37uMdBNSSwID
AQABo4ICUjCCAk4wDAYDVR0TBAUwAwEB/zALBgNVHQ8EBAMCAa4wHQYDVR0OBBYE
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGQGA1UdHwRdMFswLKAqoCiGJmh0dHA6Ly9j
ZXJ0LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3Js
LnN0YXJ0Y29tLm9yZy9zZnNjYS1jcmwuY3JsMIIBXQYDVR0gBIIBVDCCAVAwggFM
BgsrBgEEAYG1NwEBATCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9jZXJ0LnN0YXJ0
Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5zdGFy
dGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3Rh
cnQgQ29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlh
YmlsaXR5LCByZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2Yg
dGhlIFN0YXJ0Q29tIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFp
bGFibGUgYXQgaHR0cDovL2NlcnQuc3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJ
YIZIAYb4QgEBBAQDAgAHMDgGCWCGSAGG+EIBDQQrFilTdGFydENvbSBGcmVlIFNT
TCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTANBgkqhkiG9w0BAQUFAAOCAgEAFmyZ
9GYMNPXQhV59CuzaEE44HF7fpiUFS5Eyweg78T3dRAlbB0mKKctmArexmvclmAk8
jhvh3TaHK0u7aNM5Zj2gJsfyOZEdUauCe37Vzlrk4gNXcGmXCPleWKYK34wGmkUW
FjgKXlf2Ysd6AgXmvB618p70qSmD+LIU424oh0TDkBreOKk8rENNZEXO3SipXPJz
ewT4F+irsfMuXGRuczE6Eri8sxHkfY+BUZo7jYn0TZNmezwD7dOaHZrzZVD1oNB1
ny+v8OqCQ5j4aZyJecRDjkZy42Q2Eq/3JR44iZB3fsNrarnDy0RLrHiQi+fHLB5L
EUTINFInzQpdn4XBidUaePKVEFMy3YCEZnXZtWgo+2EuvoSoOMCZEoalHmdkrQYu
L6lwhceWD3yJZfWOQ1QOq92lgDmUYMA0yZZwLKMS9R9Ie70cfmu3nZD0Ijuu+Pwq
yvqCUqDvr0tVk+vBtfAii6w0TiYiBKGHLHVKt+V9E9e4DGTANtLJL4YSjCMJwRuC
O3NJo2pXh5Tl1njFmUNj403gdy3hZZlyaQQaRwnmDwFWJPsfvw55qVguucQJAX6V
um0ABj6y6koQOdjQK/W/7HW/lwLFCRsI3FU34oH7N4RDYiDK51ZLZer+bMEkkySh
NOsF/5oirpt9P/FlUQqmMGqz9IgcgA38corog14=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGXDCCBESgAwIBAgIHGcKFMOk7NjANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDYwOTE3MjI0NjM2WhcNMTkxMjMxMjM1
OTU5WjBVMQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQx
KjAoBgNVBAMTIUNlcnRpZmljYXRpb24gQXV0aG9yaXR5IG9mIFdvU2lnbjCCAiIw
DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL3Kjay4kRVWl3trXHrC3mvZobDD
ECP6p6GyzDH6PtmmKW8WPeBr+LhAX9s5qAB6i6BNVH3CInj8jgm4qIXXzJWXS3TY
nn7wAOQOia5JKEQaEJkyDyWIU6QNsw8SCBYLA3EnHH/h29L9Z2jEBV0KDl1w19iX
oLxTQZqRjfSeNmZ6flbBkF/msWggNqSMJCwsRwtZdmYwtb7e7Y/4ndO7ATDm8vMO
4CySgPOF+SiKtFQumu33dvwVaBbrSmzrLhKP1M/+DMdcHQt+BTK+XrAJKkLVyU6Q
s1kNu3p+zdUIWrR/2BxpEfknD3sGr1SDGHvh3VR6UWhud/zGv1JKZkahsmcau6NP
d6C+Xf/8VgtDcneQyp758jn1Dan06tfnsxAvMEI3IcwwcMmGmA/MWE2Du33lGqU3
jbasMpcAOmNxJB6eN8T/dNQ3wOL+iEZgEd0IP1A2q7h6pJViam6wymohWmnz8/sd
cDmV86dupoGJoYjFO3HKo1Lug7v9oHf05G/nQtttSpmKNEi8F9zkgAgitvIxwD8E
PuufIHnWuAZkZAIx16nNUvuERWkJACrcVYvEBkZLwEodCVs5KP2pq84A+S5ISybm
MEylWMq0RIJP55EeM8Owk/8R/IHSyh9xKd12T5Ilrx2Btw8vjMMGzC8no0rkDpm6
fB5FH3+qGUWW/fw9AgMBAAGjggEHMIIBAzASBgNVHRMBAf8ECDAGAQH/AgECMA4G
A1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU4WbPDtHxs0u3BiAU/ocS1fb++z4wHwYD
VR0jBBgwFoAUTgvvGqRAW6UXaYcwyjRoQ9BBrvIwaQYIKwYBBQUHAQEEXTBbMCcG
CCsGAQUFBzABhhtodHRwOi8vb2NzcC5zdGFydHNzbC5jb20vY2EwMAYIKwYBBQUH
MAKGJGh0dHA6Ly9haWEuc3RhcnRzc2wuY29tL2NlcnRzL2NhLmNydDAyBgNVHR8E
KzApMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9zZnNjYS5jcmwwDQYJ
KoZIhvcNAQELBQADggIBALZt+HD74g1MmLMHSRX1BMRsysr1aKAI/hJtnAQGya2a
kVI+eMRc7p9UHe7j8V4wyUnhOeCmnTZsV/rmNE9V6IeoLN0F8VgSkejKzih4j98H
hQGl3EWWBdSAsisFmsuapYvgOmfmc0e+Sv0nsYjv5srPjQ4mn/pfV3itbf6umzUI
scO6wQBKS30Uvffx01UYrNAzcIhtxAlxFKYrT4iB5wsAN6kVfX7XAZY/L697Yq4K
Sr9LOS41EIv+BDnkPDoMCVZAOrX0wmgMtflSze6d+Jj8eOdYR48cc1hpM6v/3d+O
JAF3mBk6sGZ5vOEIow5PwQSz8wHI69NZHDXSkx5wZYJ/28/7yJkSYMNEbzqAS9e+
IaoUemTL3TdDRVsyLkXw2VkfaxjwfOlVNhlhX7V98Y29iOR1S5jdJ7DkhEQqYYRX
BYIRH6o1WPMgDq9Z7/pVcnINJtCbU0mszjcuZWH/9uwb6vbxptPRtXu+NfQiwbyN
Ab1oXoMNL+zW2mMMJ9FUPuSo085LMriRlP/7W0ktdRiounGaO67ZwKlPh5Hti3tr
IJiJOYNPgMRpzBfJyE6+5KmlgXZwBgQyzYNl9Lx9PhO80uhvY6q1O9qNhjKCeJ3Z
zP+/V2R07Sg9RGIVYUv3lLANKmcc8MubpZK/+EFawT1g7Z+7uG2bzqlqFj9+6gbx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFrDCCA5SgAwIBAgIQOPZFweJdkSzOOys5EjF0DTANBgkqhkiG9w0BAQsFADBV
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxKjAoBgNV
BAMTIUNlcnRpZmljYXRpb24gQXV0aG9yaXR5IG9mIFdvU2lnbjAeFw0xNDExMDgw
MDU4NThaFw0yOTExMDgwMDU4NThaMFUxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFX
b1NpZ24gQ0EgTGltaXRlZDEqMCgGA1UEAxMhV29TaWduIENBIEZyZWUgU1NMIENl
cnRpZmljYXRlIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA47SA
DmswUIIvH+edv/h8QiXtrmHE64aHI38RH8CTXxuSkB53jLx29/sKpdV9rNxLGNhY
Lt9GazQPRWRghMLrmg5R1CpUUT4nO2Rohm98awA8mfZMqEUnraXLKzftWcNSTE/e
NJzyt9H6WMvlYp5VRly3xY04JDXvlyx8ZRAN75+XCNXlsxJ6kt3+iA+PpK+9xdY2
90Eb6Fndhv81v+3k0aCTblGomcvf3b5xiMPasWXMe5XEZo++TgZ/m1OMazzOlyaC
Hxcwuj/I3swLobTvEj2Tywgw5xqYl4A6JoSP/nN0lVMPUbKqiVf0lkByEx3kZ5hO
j8ZAC/UdDEUt4NWSgwIDAQABo4IBdjCCAXIwDgYDVR0PAQH/BAQDAgEGMB0GA1Ud
JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/AgEAMDAG
A1UdHwQpMCcwJaAjoCGGH2h0dHA6Ly9jcmxzMS53b3NpZ24uY29tL2NhMS5jcmww
cgYIKwYBBQUHAQEEZjBkMCcGCCsGAQUFBzABhhtodHRwOi8vb2NzcDEud29zaWdu
LmNvbS9jYTEwOQYIKwYBBQUHMAKGLWh0dHA6Ly9haWExLndvc2lnbi5jb20vY2Ex
ZzItc2VydmVyMS1mcmVlLmNlcjAdBgNVHQ4EFgQU0qcWIHyv2ZWe60MKGfLguXQO
qMcwHwYDVR0jBBgwFoAU4WbPDtHxs0u3BiAU/ocS1fb++z4wRwYDVR0gBEAwPjA8
Bg0rBgEEAYKbUQYBAgIBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cud29zaWdu
LmNvbS9wb2xpY3kvMA0GCSqGSIb3DQEBCwUAA4ICAQCWWt+WkRdokF0vtDIVgAMD
C+kct3Ns2qj6lN3dPjQrLoCTbPqmZ9MbeoJBzp7/P++yg2qe/DL9RPOCZqrPRC+z
N0HweRLjAieGSJK+z1bXy9fnHiWdQdsK5zMSWK2V2J7Ut5Upuv7/34Ckd1sVYg9p
+IdtdOqFonZdn5UuA7yK+YqsgWRQ8gtFS+yXMDl05ad+FiRiK1DxXNhPzS6iGCWj
zvYfYN0V3iAVGw5/r4XZQKwHKjTdUbAaqOYOn1/bRnDm9dklHPAd5UKhLSKdbhHJ
jaZlvA6qdnPIVmAv+z+GuaX1M+/VEx9JTDgHnlkiWsdO2SUkulNw/GMqVFHrw0tB
feToPCyldlq/2UyoDa5SbqVdmD1skG14H8NwlYYHP1Tj6oqBZGKajzGveyp+kiLD
jsxTrMecmRErSD9ScStuwOGzCuUDYteJGChMCo0/C0WJgYuIpJPCf0TlHltAAPwv
zDv4ankx/UQUto9IhUyrCp27Nwr8URng/llqO49gYqcHgq8IZqDy2mAC6tg0fldx
obX+adf73Vqc8//E6s10+pRw01iSzq8S5G7r3bivHeJl1EbqCz7jaA4KTCeDUJEG
xnv4+psm7SwOZ7hs5SyYbV96KMOEPAMN9+ID4ZTCWCf4TYFZL/F8YclXXb3cnIDQ
ZN98h3iF5pSLcIsFR+TIew==
-----END CERTIFICATE-----

Now the OCSP check works !

$ openssl s_client -connect blog.alteroot.org:443 -tls1_2 -tlsextdebug -status
[...]
OCSP response: 
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = CN, O = WoSign CA Limited, CN = WoSign Free SSL OCSP Responder(G2)
    Produced At: Jul 17 11:12:45 2015 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: A06661F16CBCC23E98BC71914830B85AAA8D0A6B
      Issuer Key Hash: D2A716207CAFD9959EEB430A19F2E0B9740EA8C7
      Serial Number: 5FA7F414BCB7C7374B525EEB4D894072
    Cert Status: good
    This Update: Jul 17 11:12:45 2015 GMT
    Next Update: Jul 19 11:12:45 2015 GMT
[...]

Enjoy :)

Sources: