YES OCSP Stapling works with a Cloudflare Free Account
issue in nginx logs:
OCSP_basic_verify() failed (SSL: error:13800076:OCSP routines::signer certificate not found) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.133.229:80, certificate: “cloudflare_certificate-ecc.pem”
Steps have you taken to resolve the issue
So on the internet and around this Community I saw a lot of people trying to figure how do OCSP stapling with Cloudfllare CA root.
As I had also that issue and fixed it; here how I proceed…
it is explained in the documentation but it is far…
- like in the Cloudflare dashboard, select one of your domain
- then under SSL/TLS the top of your Origin Server you will see: Origin server SSL/TLS documentation;
- then at 2. Install Origin CA certificate on origin server of Origin CA certificates in my case it’s NGINX
- it will redirect you to DigiCert page
- which will explain to you that you have to concatenate your certificate with the CA_ROOT certificate (step 2.3.b)
- and will give your an example of NGINX configuration (step 2.4.c)
… so how to do it (TL;DR)
1. Cloudflare Side
- Create a free TLS certificate signed by Cloudflare to install on your origin server: (it’s under SSL/TLS → Origin Server)
I recommend you an ECC : Elliptical is usually faster
- Download the Cloudflare Origin CA root certificate
- Concatenate your certificate.pem (not the private key) with Cloudflare Origin CA root certificate (in my case it’s the ECC.pem):
cat my_domain_certificate-ecc.pem cloudflare_ca_ecc_root.pem >> cloudflare_combined_cert-ecc.pem
2. Server Side
- in my case it’s NGINX; (otherwise: reference)
SSL Config Part
ssl_certificate ../keys/cloudflare_combined_cert-ecc.pem;
ssl_certificate_key ../keys/cloudflare_privatekey-ecc.pem;
ssl_trusted_certificate ../keys/cloudflare_ca_ecc_root.pem;
resolver 1.1.1.1 1.0.0.1 valid=60s;
ssl_stapling_verify on;
ssl_stapling on;
What I noticed during my research (Common Mistake)
Most people will miss the concatenation for the ssl_certificate, and they will only put the certification generate by Cloudflare for their domain.
ssl_certificate .../keys/my_domain_certificate-ecc.pem;
instead of: ssl_certificate .../keys/cloudflare_combined_cert-ecc.pem;
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)