Let' encrypt - nginx - OCSP stapling
Following the standard nginx setup, you should not need to specify a ssl_trusted_certificate chain. The following should be sufficient:
ssl_certificate /etc/letsencrypt/live/myexample.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myexample.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
See here for further context.
I found the solution based on the tutorial I found there:
cd /etc/ssl/private
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem https://letsencrypt.org/certs/letsencryptauthorityx1.pem https://www.identrust.com/certificates/trustid/root-download-x3.html | tee -a ca-certs.pem> /dev/null
and add this to your site/server config
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
Reload your config
IMPORTANT: Open your browser and access your webpage once.
Then you can test your server locally with this cmd:
openssl s_client -connect myexample.org:443 -tls1 -tlsextdebug -status
You will most likely get a valid response like this
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1
Don't worry if you get a
Verify return code: 20 (unable to get local issuer certificate)
at the bottom as well, the Let's encrypt certificate is not yet in the default trusted certificate stores. (I don't have much ssl experience, so I might be wrong)
The error will not show up if you execute the following cmd on the server:
openssl s_client -CApath /etc/ssl/private/ -connect myexample.org:443 -tls1 -tlsextdebug -status
After that you can test your server using:
https://www.digicert.com/help/
Be aware that right now OCSP reponses won't be picked up by the ssllabs tests. I assume this is because the Let's encrypt certificate is not yet in the default trusted certificate stores.