letsencrypt https证书增加OCSP Stapling解决iOS公众号H5首次打开慢问题

原因

最近收到反馈网站公众号H5打卡慢,发现都是iOS用户,最后搜了以下发现可能因为letsencrypt证书域名被污染,导致到国外验证证书慢,解决办法是开启OCSP Stapling本地服务器缓存。

nginx 日志可以看到

ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out)

检查证书是否已开启OCSP Stapling

openssl s_client -connect c4ys.com:443 -servername c4ys.com -status -tlsextdebug < /dev/null 2>&1 | grep "OCSP"

(nginx重启后需要运行两次,第二次才有结果)

如果结果是下面这样,说明 OCSP Stapling 已开启:

OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

而这样显然是未开启:

OCSP response: no response sent

开启ssl_stapling的两个条件

根据 nginx ssl_stapling 官方文档只需要两个条件即可:

  • 指定了resolver
  • 如果ssl_certificate没有包含中间商证书,则需要将中间证书包含在ssl_trusted_certificate中

letsencrypt certbot的ssl_certificate使用的是fullchain.pem,带了中间证书,所以只需要指定resolver即可。生成ssl_trusted_certificate和ssl_stapling_file的步骤不是必须的。

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=off;
resolver_timeout 5s;

查看当前域名的证书链

查看站点根证书,0,站点证书;1,中间证书,2,根证书

openssl s_client -connect c4ys.com:443 -servername c4ys.com -showcerts < /dev/null 2>&1

depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = c4ys.com
verify return:1

下载根证书

letsencrypt 的证书链介绍和下载

其他证书下载

cd /etc/letsencrypt/live/c4ys.com/
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
mv trustid-x3-root.pem.txt trustid-x3-root.pem

验证证书

openssl x509 -in cert.pem -noout -subject
openssl x509 -in chain.pem -noout -subject
openssl x509 -in trustid-x3-root.pem -noout -subject

生成ssl_trusted_certificate

cat cert.pem chain.pem  trustid-x3-root.pem > ca_bundled.pem

查看证书ocsp地址

查看证书签署,来自ocsp.int-x3.letsencrypt.org

openssl x509 -in cert.pem -noout -ocsp_uri

验证ocsp获取

openssl ocsp -no_nonce -text \
-issuer chain.pem \
-cert cert.pem \
-CAfile ca_bundled.pem \
-VAfile ca_bundled.pem \
-url http://ocsp.int-x3.letsencrypt.org/ \
-header "HOST" "ocsp.int-x3.letsencrypt.org"

发现超时,修改/etc/resolv.conf,服务器dns

nameserver 8.8.8.8

然后出现

Response verify OK
cert.pem: good

开启ssl_stapling

ssl_trusted_certificate /etc/letsencrypt/live/c4ys.com/ca_bundled.pem;

开启后可以通过前面的方法验证,第二次才有效

服务器缓存OSCP staplingresp(可选)

服务器可以将OSCP resp缓存起来,避免走国外下载

使用ssl_stapling_responder(方式一,推荐)

由于ssl_stapling_file需要手动更新,比较麻烦,所以通过http代理获取。
参考:https://jhuo.ca/post/ocsp-stapling-letsencrypt/

开启ssl_stapling_file(方式二,推荐)

ssl_stapling_file可以将oscp缓存起来,避免服务器下载

下载并保存 oscp resp

openssl ocsp -no_nonce -text \
-issuer chain.pem \
-cert cert.pem \
-CAfile ca_bundled.pem \
-VAfile ca_bundled.pem \
-url http://ocsp.int-x3.letsencrypt.org/ \
-header "HOST" "ocsp.int-x3.letsencrypt.org" \
-respout ocsp.resp

nginx启用ssl_stapling_file

ssl_stapling_file /etc/letsencrypt/live/c4ys.com/ocsp.resp;

自动更新ssl_stapling_file

oscp有效时间通常只有7天,所以需要使用脚本自动更新缓存,参考:https://quchao.com/entry/how-to-configure-ocsp-stapling-on-nginx-for-the-certificates-issued-by-lets-encrypt/

参考