Caddy: Feature Request: allow overriding OCSP responder

Created on 8 Sep 2020  路  10Comments  路  Source: caddyserver/caddy

Hi, I am getting stuck in OCSP stapling, since ocsp.int-x3.letsencrypt.org is not accessible/reachable from my location(China).

I hope Caddy can provide features similar to Nginx ssl_ocsp_responder for overriding OCSP responder, so that I can set up a proxy for it.

feature request
Source
picture razonyang

All 10 comments

I think this would need to be implemented in https://github.com/caddyserver/certmagic actually, and if done there, an option would then need to be exposed in Caddy.

francislavoie picture francislavoie on 8 Sep 2020
👍1

Yep, it'll be implemented in CertMagic then exposed here in Caddy.

Is there ever a reason that the overrides would be per-site? i.e. would configuring a global mapping of OCSP responder -> custom OCSP responder be a good solution?

mholt picture mholt on 8 Sep 2020
👍1

Nginx supports both of them, it would be nice to have them all.

razonyang picture razonyang on 9 Sep 2020

@razonyang How does it support both? From what I can see at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ocsp_responder, it looks like you just specify a single responder for all certs in that context.

mholt picture mholt on 9 Sep 2020

@mholt As the documentation mentioned, ssl_ocsp_responder can be placed in http or server context(tested locally).

But overrides OCSP responder globally is good enough for my use case.

razonyang picture razonyang on 9 Sep 2020
👍1

I saw that, but there can be different OCSP servers for different CAs, regardless of the server or site that's being served. That's why I am asking: nginx's implementation doesn't really make sense. It feels like the right way to do this is to map one OCSP server to another, rather than assuming one OCSP server for a whole batch of certificates. And I think that mapping could be global.

mholt picture mholt on 9 Sep 2020
👍1

It seems no more feedback come up. As you said, global mapping is good enough.

razonyang picture razonyang on 5 Oct 2020

I'm suffered from this OCSP timeout issue too, just because my server is located in China.
I just hope the configure reload process could let site online before checking OCSP timeout, at least not sequentially timeout. in my case, my 12 sites configuration need at least 12*30s=6min to available to my visitors.

wizicer picture wizicer on 29 Dec 2020

I've implemented this in CertMagic, now to expose configuration parameters in Caddy.

mholt picture mholt on 7 Jan 2021

Implemented in 09432ba . To simply disable all OCSP stapling:

{
    ocsp_stapling off
}

will do the trick in the Caddyfile. With JSON config, you can do the same but also override responder URLs by mapping the embedded ones to their replacements. (See code for now; docs will be updated when released.)

mholt picture mholt on 7 Jan 2021
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

treviser picture treviser  路  3Comments
wayneashleyberry picture wayneashleyberry  路  3Comments
mholt picture mholt  路  3Comments
whs picture whs  路  3Comments
ericmdantas picture ericmdantas  路  3Comments