原因
最近收到反馈网站公众号H5打卡慢,发现都是iOS用户,最后搜了以下发现可能因为letsencrypt证书域名被污染,导致到国外验证证书慢,解决办法是开启OCSP Stapling本地服务器缓存。
nginx 日志可以看到
ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out)
检查证书是否已开启OCSP Stapling
openssl s_client -connect c4ys.com:443 -servername c4ys.com -status -tlsextdebug < /dev/null 2>&1 | grep "OCSP"
(nginx重启后需要运行两次,第二次才有结果)
如果结果是下面这样,说明 OCSP Stapling 已开启:
OCSP response:
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
而这样显然是未开启:
OCSP response: no response sent
开启ssl_stapling的两个条件
根据 nginx ssl_stapling 官方文档只需要两个条件即可:
- 指定了resolver
- 如果ssl_certificate没有包含中间商证书,则需要将中间证书包含在ssl_trusted_certificate中
letsencrypt certbot的ssl_certificate使用的是fullchain.pem,带了中间证书,所以只需要指定resolver即可。生成ssl_trusted_certificate和ssl_stapling_file的步骤不是必须的。
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=60s ipv6=off;
resolver_timeout 5s;
查看当前域名的证书链
查看站点根证书,0,站点证书;1,中间证书,2,根证书
openssl s_client -connect c4ys.com:443 -servername c4ys.com -showcerts < /dev/null 2>&1
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = c4ys.com
verify return:1
下载根证书
cd /etc/letsencrypt/live/c4ys.com/
wget https://letsencrypt.org/certs/trustid-x3-root.pem.txt
mv trustid-x3-root.pem.txt trustid-x3-root.pem
验证证书
openssl x509 -in cert.pem -noout -subject
openssl x509 -in chain.pem -noout -subject
openssl x509 -in trustid-x3-root.pem -noout -subject
生成ssl_trusted_certificate
cat cert.pem chain.pem trustid-x3-root.pem > ca_bundled.pem
查看证书ocsp地址
查看证书签署,来自ocsp.int-x3.letsencrypt.org
openssl x509 -in cert.pem -noout -ocsp_uri
验证ocsp获取
openssl ocsp -no_nonce -text \
-issuer chain.pem \
-cert cert.pem \
-CAfile ca_bundled.pem \
-VAfile ca_bundled.pem \
-url http://ocsp.int-x3.letsencrypt.org/ \
-header "HOST" "ocsp.int-x3.letsencrypt.org"
发现超时,修改/etc/resolv.conf,服务器dns
nameserver 8.8.8.8
然后出现
Response verify OK
cert.pem: good
开启ssl_stapling
ssl_trusted_certificate /etc/letsencrypt/live/c4ys.com/ca_bundled.pem;
开启后可以通过前面的方法验证,第二次才有效
服务器缓存OSCP staplingresp(可选)
服务器可以将OSCP resp缓存起来,避免走国外下载
使用ssl_stapling_responder(方式一,推荐)
由于ssl_stapling_file需要手动更新,比较麻烦,所以通过http代理获取。
参考:https://jhuo.ca/post/ocsp-stapling-letsencrypt/
开启ssl_stapling_file(方式二,推荐)
ssl_stapling_file可以将oscp缓存起来,避免服务器下载
下载并保存 oscp resp
openssl ocsp -no_nonce -text \
-issuer chain.pem \
-cert cert.pem \
-CAfile ca_bundled.pem \
-VAfile ca_bundled.pem \
-url http://ocsp.int-x3.letsencrypt.org/ \
-header "HOST" "ocsp.int-x3.letsencrypt.org" \
-respout ocsp.resp
nginx启用ssl_stapling_file
ssl_stapling_file /etc/letsencrypt/live/c4ys.com/ocsp.resp;
自动更新ssl_stapling_file
oscp有效时间通常只有7天,所以需要使用脚本自动更新缓存,参考:https://quchao.com/entry/how-to-configure-ocsp-stapling-on-nginx-for-the-certificates-issued-by-lets-encrypt/