OCSP Stapling implementation

If I have set-up my site so that it serves via https from cloudflare, and has “Full (strict)” implemented under the SSL/TLS part of the control panel, do I need to do anything more to obtain OCSP stapling for my site? I had this working prior to using Cloudflare, served via my Nginx webserver, but the connection from my webserver to Cloudflare is done via a private certificate. There are sporadic mentions of OCSP for Cloudflare, suggesting that the process only works sporadically, but nothing clear concerning what - if anything - needs to be done to implement this service.

Those mentions generally explain that Cloudflare can’t keep up the volume of requests to keep OCSP valid at all times.

True, but there is not clear statement that Cloudflare will take care of the OCSP stapling without any need for intervention from the user’s part (beyond enabling https). Is that the case? If it is, then that is odd, as my site has never been identified as implementing stapling (by e.g. https://www.digicert.com/help/) since I have had it with cloudflare…

Prior to using Cloudflare, I had implemented OCSP stapling for “artifuse.ch” via an Nginx webserver and a Letsencrypt certificate. This involved the following settings in my Nginx config:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;

where “ca-certs.pem” was the chained CA bundle, as described here: https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx

I have since moved to the cloudflare free plan, with SSL delivered using the “Cloudflare Universal SSL certificate” implemented through the “Edge Certificates” section of the SSL/TLS control panel. SSL seems to be working fine, and the certificate chain is healthy, as reported by: https://www.digicert.com/help/

With cloudflare, I have commented out the Nginx settings referred to above, as I think these are done by the cloudflare edge servers, as implied by various online materials, including:

Ever since I moved to cloudflare, however, OCSP stapling has not been identified as implemented on my site by digicert. I have fiddled with settings, but to no effect, and am now low on ideas. The only remaining option I can think of is to re-implement stapling on my webserver. But if I need to that when using cloudflare, then how do I construct the certificate chain listed under ssl_trusted_certificate - these edge certificates are all managed by cloudflare?

Not sure what to do now…

All you can do is wait on Cloudflare to put in the resources needed to keep OCSP staples valid. You cannot fix this issue on your Origin (unless you go :grey:!)

1 Like

#michael - that’s what I had worried would be the case.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.