Implement periodic fetching of OCSP responses in a cron job

[jsha]

In #950, I add OCSP stapling in Nginx using its own fetcher. However, this is best-effort and fails to staple a response on the first request after startup.

Instead, we should use ssl_stapling_file, which allows us to prefetch an OCSP response for each certificate and store it in a file to be loaded by Nginx. This will increase reliability, which is very important since we would like to eventually be able to implement OCSP Must Staple.

The cron job that fetches the OCSP response should run about once an hour. Even though OCSP responses are currently only regenerated every three days, this ensures that if there is any downtime or slop, the server gets an updated version very soon after it is available.

[hlieberman]

If you do this as a script, a la letsencrypt-renewer, we can ensure that it is installed with a cronjob on Debian and its derivatives as part of the letsencrypt-nginx package.

[centminmod]

i'd also be mindful that some folks have load balanced web servers and not just a standalone web server

[audreytoskin]

Something similar to @jsha's pull request is the only thing that works for me. (The actual solution I'm currently using is based on Troon's shell script and Nginx config lines from comment 19 in this Let's Encrypt forum thread.)

The certbot documentation recommends setting the Nginx config variable ssl_trusted_certificate to your chain.pem file. However, I was still getting messages like this:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org/"

...in systemd journal, and Nginx was not sending the stapled OCSP response. I tried many variations on the configurations recommended in the certbot and Nginx documentation. However prefetching an OCSP response and using that for Nginx ssl_stapling_file, as mentioned, were the only things to properly enable OCSP stapling on my server:

• Fedora 25 Server x86_64
• Nginx 1.10.2
• certbot 0.9.3
• OpenSSL 1.0.2j

In fact, certbot's recommended ssl_trusted_certificate setting made no difference; Nginx continued serving the OCSP response even after I removed the trusted certificate line (perhaps because fullchain.pem provides everything and is used in the Nginx config ssl_certificate).

If jsha's pull request never gets merged, I think at least the certbot documentation should probably be updated.

[jsha]

The certbot documentation recommends setting the Nginx config variable ssl_trusted_certificate to your chain.pem file. However, I was still getting messages like this:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org/"

I'm pretty sure that's unrelated to ssl_trusted_certificate. Sounds like you were having some DNS problems?

ssl_trusted_certificate only has an effect if you also use ssl_stapling_verify. Were you using that?

[audreytoskin]

ssl_trusted_certificate only has an effect if you also use ssl_stapling_verify. Were you using that?

Yes. However, the "ssl_stapling ignored" error went away after adding ssl_stapling_file and OCSP stapling seems still to be working even after removing ssl_trusted_certificate.

It also works without setting resolver in Nginx, so I don't think it was a DNS problem.

[audreytoskin]

...I'd hoped only to add my support for the idea of prefetching OCSP responses. If my actual problem is different and I'm getting off topic, then I could start a new bug report :/

[SnijderC]

@jsha We just released this, still in Alpha but might be interesting: https://github.com/greenhost/ocspd

[jsha]

@SnijderC that looks awesome. I think it might be suitable for incorporation into Certbot as-is, or we could pull out the code for fetching and storing responses, and make it part of certbot renew. I posted on your repo: would you mind adding a license file so we know if we can use the code? Thanks!

[SnijderC]

@jsha ok, so as you have probably seen, I added a license, we chose the same license as Certbots for convenience, I had to take a dependency out because it was incompatible.

We wrote this to run in a web hosting environment, so it's made to be scalable, you can run multiple processes and it runs lengthy/blocking processes in threads. It's meant to run 24/7/365, so it's a daemon with quite a bit of error handling to prevent it from locking up. It's also very efficient in that it only refreshes n hours (default=2hrs) before the current staple expires.

Having said that, I think this doesn't quite match up with the "average certbot" user's requirements. So the way I see it is there are 3 ways to incorporate this in certbot.

1. We include it as a daemon as-is. We set some sane defaults for small scale use, 1 or 2 threads should work perfectly fine and the application is still very lean so no harm done.
2. We extract the main logic and make this part of the renew process, this seams to make sense because it's the least invasive way of including OCSP stapling for the "average certbot" user, though probably not the most common use case (I suspect it's Apache).
3. Not really incorporating but maybe you could simply reference to our project from yours for NGiNX and HAProxy users.

Also please note that we have no unittests because it's an application that just combines already existing components for the most part (this is not an excuse, I still do want to - and/or should have included some unittests). But for this kind of application functional tests seems to make more sense, but we didn't do this yet because it involves running an ocsp server etc.. By the way, if anyone wants to contribute to that, more than welcome! The reason for this explanation is that "incorporation as-is" seems to conflict with the testing coverage of your project.

So please let me know, what you think, and what you would like to do. If you would like to do any of the options outlined above, or you have a suggestion of your own, I would be more than happy to help out as much as I can.

[jsha]

We extract the main logic and make this part of the renew process, this seams to make sense because it's the least invasive way of including OCSP stapling for the "average certbot" user, though probably not the most common use case (I suspect it's Apache).

This seems ideal to me. @bmw, @ohemorange?

As you say, this doesn't solve the Apache use case. For Apache the fix would be to use SSLStaplingForceURL and point it at a local OCSP proxy. However, I'd be pretty happy to solve this problem just for Nginx and HAProxy for now. It would be straightforward to later write a small OCSP proxy that reads files from /etc/letsencrypt for use with Apache.

[bmw]

I agree option 2 is probably the best approach and we'd certainly be open to incorporating something like this into Certbot.

The biggest potential concern I have here are about dependencies. What additional dependencies would Certbot need to do this? I'm a bit worried about making negative progress on #1301, requiring dependencies that aren't available in Debian yet, adding another crypto library, or going back on our promise to Debian about not adding any new non-optional dependencies. We can certainly work around some or all of these problems, but I'm curious what would be required here.

@jsha, one question for you is how often would you like this to run? In your original post you suggested every hour. Would you want us to change our renewal recommendations to run certbot renew every hour or do you think our current every 12 hour recommendation good enough for this?

[jsha]

Good point about the non-Debian deps. At first I thought this would only need asn1crypto, which we've previously considered including, but it looks like it also pulls in oscrypto and ocspbuilder. I haven't looked at those to see how heavyweight they are.

Stepping back a bit: I think you told me offline that pycryptography and PyOpenSSL don't have the necessary functions to fetch and validate OCSP. Is that accurate? If so, some choices:

1. don't support any OCSP fetching because Debian forbids us new dependencies
2. maintain a Debian fork that doesn't do OCSP fetching
3. shell out to OpenSSL for OCSP fetching
4. define an extension mechanism for things that happen at "renew" time, and put OCSP fetching in its own Python package, which wouldn't be included in the Debian build.

I'm fine with fetching OCSP every 12 hours. That's more than sufficient for the stapling use case. For the "reissue if revoked for key compromise" use case, more frequently would be better, but let's cross that bridge when we come to it.