OCSP stapling with Let's Encrypt certificates


I’m trying to get OCSP stapling working with HAProxy and certificates from letsencrypt.org but running into a problem.

I’ve got HAProxy setup with SSL termination for a number of domains (on a single IP) and it all works fine, except for the OCSP stapling part.

The bind line in my haproxy.cfg frontend is:

bind 208.101.xx.xx:443 ssl crt /etc/haproxy/certs/

I have a script to get the OCSP response which is something like this:

openssl ocsp -no_nonce -respout /etc/haproxy/certs/mydomain.com.pem.ocsp -issuer /etc/letsencrypt/live/mydomain.com/chain.pem -verify_other /etc/letsencrypt/live/mydomain.com/chain.pem -cert /etc/letsencrypt/live/mydomain.com/cert.pem -url http://ocsp.int-x3.letsencrypt.org/ -header “HOST” “ocsp.int-x3.letsencrypt.org

This seems to be fine, it responds as,

Response verify OK
/etc/letsencrypt/live/mydomain.com/cert.pem: good
This Update: Oct 18 01:00:00 2016 GMT
Next Update: Oct 25 01:00:00 2016 GMT

So the .ocsp file is in my HAProxy cert directory. I also copy over the issuer file from the let’s encrypt certificates:

cp /etc/letsencrypt/live/mydomain.com/chain.pem /etc/haproxy/certs/mydomain.com.pem.issuer

Now I have both the .issuer and .ocsp files in my HAProxy cert directory. (The .ocsp file is in a binary format)

-rw------- 1 user user 5221 Oct 17 20:41 mydomain.com.pem
-rw------- 1 user user 1647 Oct 17 19:45 mydomain.com.pem.issuer
-rw------- 1 user user 527 Oct 19 09:44 mydomain.com.pem.ocsp

I notify HAProxy about it:

echo “set ssl ocsp-response $(/usr/bin/base64 -w 10000 /etc/haproxy/certs/mydomain.com.pem.ocsp)” | /usr/bin/socat stdio /var/run/haproxy.admin

It seems to work, I get the reply:

OCSP Response updated!

Now it should be stapling the OCSP response ?

I try testing it using:

openssl s_client -connect mydomain.com:443 -tlsextdebug -status -servername mydomain.com

and get:

OCSP response: no response sent
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = mydomain.com
verify return:1

Oops… not sure what is going on here, or if it’s something peculiar to the way Let’s Encrypt certs are setup.

I was using HAProxy 1.6.3 but moved to 1.7 dev4 to try again, without any more success. (CentOS 7, OpenSSL 1:1.0.1e-51.el7_2.7)

Thanks for any pointers…


Ok figured it out, someone posted that they had it working with LibreSSL, I noticed the stock OpenSSL I had on CentOS 7 was the older 1.0.1.

It works fine now using HAProxy with OpenSSL 1.0.2 as per instructions in readme.