This is because not every certificate contains the root/intermediate combined for the webserver to actually properly perform oscp

that is the reason why I never added this options ;)

Luckily, LetsEncrypt does.

Maybe we can check if the certificate contains the necessary information and enable this per SSL certificate

Maybe we can check if the certificate contains the necessary information and enable this per SSL certificate

That would be awesome, and by the way start checking from the ground up if the chain is signed properly.

For people here using kube-lego, this issue is presently open regarding getting the must staple option included in newly requested certs.

This will be required for many implementations of Certificate Transparency. For example, I know Let's Encrypt planned to embed them in OCSP responses.

As Google Chrome will not be trusting any certs without CT starting October 2017, it would be nice if we had a stable version with OCSP stapling by then.

If any of you had an issue in enabling OCSP like me follow the steps below.

1. Create configmap
   kubectl create secret tls foo-bar --key foo-bar-privkey.key --cert foo-bar-cert.crt
2. Update the Nginx ingress deployment with the following value. (very important)
   --enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
3. To confirm OCSP is enabled check the following.
   kubectl exec -it nginx-ingress-controller-xxx sh
   >$cat /etc/nginx/nginx.conf |grep ssl
   ssl_stapling on;
   ssl_stapling_verify on;
   ssl_certificate /etc/ingress-controller/ssl/foo-bar-privkey.pem;
   ssl_certificate_key /etc/ingress-controller/ssl/foo-bar-cert.pem;
   ssl_trusted_certificate /etc/ingress-controller/ssl/foo-bar-cert.pem;
4. Verify OCSP by using following command.
   openssl s_client -showcerts -servername foo.bar -connect foo.bar:443 -status
   

   >OCSP response:

OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response"

Notes:

1. Make sure the certificate contains "server certificate" and "intermediate certificate". If you are using Let's encrypt fullchain.pem is sufficient.
2. https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/
3. You will see ssl_stapling only when OCSP enabled correctly.

Hi,

If any of you had an issue in enabling OCSP like me follow the steps below.

...

1. Update the Nginx ingress deployment with the following value. (very important)
   --enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
   ...

could you please explain where I can add these "args" ? Apparently I cannot add these to a running nginx-ingress-controller in minikube (as an addon).

Thank you for your support.

Peter

Hi,

If any of you had an issue in enabling OCSP like me follow the steps below.

...

1. Update the Nginx ingress deployment with the following value. (very important)
   --enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
   ...

could you please explain where I can add these "args" ? Apparently I cannot add these to a running nginx-ingress-controller in minikube (as an addon).

Thank you for your support.

Peter

It needs to be added in nginx-ingress-deployment.yaml file. snippet of configuration.

containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1 args: - /nginx-ingress-controller - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io - --enable-dynamic-certificates=false - --enable-ssl-chain-completion=true - --default-ssl-certificate=$(POD_NAMESPACE)/star-example-cert

Well I don't have this file (as I installed this with "minikube addons enable ingress")...