Solution for OCSP stapling

YES OCSP Stapling works with a Cloudflare Free Account

issue in nginx logs:

OCSP_basic_verify() failed (SSL: error:13800076:OCSP routines::signer certificate not found) while requesting certificate status, responder: ocsp.cloudflare.com, peer: 104.16.133.229:80, certificate: “cloudflare_certificate-ecc.pem”

Steps have you taken to resolve the issue

So on the internet and around this Community I saw a lot of people trying to figure how do OCSP stapling with Cloudfllare CA root.
As I had also that issue and fixed it; here how I proceed…

it is explained in the documentation but it is far…

  1. like in the Cloudflare dashboard, select one of your domain
  2. then under SSL/TLS the top of your Origin Server you will see: Origin server SSL/TLS documentation;
  3. then at 2. Install Origin CA certificate on origin server of Origin CA certificates in my case it’s NGINX
  4. it will redirect you to DigiCert page
  5. which will explain to you that you have to concatenate your certificate with the CA_ROOT certificate (step 2.3.b)
  6. and will give your an example of NGINX configuration (step 2.4.c)

… so how to do it (TL;DR)

1. Cloudflare Side

  1. Create a free TLS certificate signed by Cloudflare to install on your origin server: (it’s under SSL/TLS → Origin Server)

I recommend you an ECC : Elliptical is usually faster :wink:

  1. Download the Cloudflare Origin CA root certificate
  2. Concatenate your certificate.pem (not the private key) with Cloudflare Origin CA root certificate (in my case it’s the ECC.pem):

cat my_domain_certificate-ecc.pem cloudflare_ca_ecc_root.pem >> cloudflare_combined_cert-ecc.pem

2. Server Side

  • in my case it’s NGINX; (otherwise: reference)

SSL Config Part

ssl_certificate ../keys/cloudflare_combined_cert-ecc.pem;
ssl_certificate_key ../keys/cloudflare_privatekey-ecc.pem;
ssl_trusted_certificate ../keys/cloudflare_ca_ecc_root.pem;
resolver 1.1.1.1 1.0.0.1 valid=60s;
ssl_stapling_verify on;
ssl_stapling on;

What I noticed during my research (Common Mistake)

Most people will miss the concatenation for the ssl_certificate, and they will only put the certification generate by Cloudflare for their domain.

ssl_certificate .../keys/my_domain_certificate-ecc.pem; instead of: ssl_certificate .../keys/cloudflare_combined_cert-ecc.pem;

Was the site working with SSL prior to adding it to Cloudflare?

Yes

What is the current SSL/TLS setting?

Full (strict)

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.