[nginx] Support ssl ocsp stapling

[InAnimaTe]

Would love to see support for this implemented. The options to enable are fairly trivial.

More on configuration here and oscp stapling here.

Something like:

    {{ if $cfg.SSLStapling }}
    ssl_stapling on;
    ssl_stapling_verify on;
    {{ end }}

By default these global options should be off. This is because not every certificate contains the root/intermediate combined for the webserver to actually properly perform oscp. Luckily, LetsEncrypt does. Because of this, I think its best to have the global options disabled by default but allow an annotation for ingresses to optionally enable this.

Although, this could go deeper for per-ingress enablement as there is also the ssl_trusted_certificate option where people can also manually specify their root/intermediate cert.

There is actually another issue asking for this here (in the old repo) as well.

[aledbf]

This is because not every certificate contains the root/intermediate combined for the webserver to actually properly perform oscp

that is the reason why I never added this options ;)

Luckily, LetsEncrypt does.

Maybe we can check if the certificate contains the necessary information and enable this per SSL certificate

[glerchundi]

Maybe we can check if the certificate contains the necessary information and enable this per SSL certificate

That would be awesome, and by the way start checking from the ground up if the chain is signed properly.

[InAnimaTe]

For people here using kube-lego, this issue is presently open regarding getting the must staple option included in newly requested certs.

[ConnorJC3]

This will be required for many implementations of Certificate Transparency. For example, I know Let's Encrypt planned to embed them in OCSP responses.

As Google Chrome will not be trusting any certs without CT starting October 2017, it would be nice if we had a stable version with OCSP stapling by then.

[anoop-p]

If any of you had an issue in enabling OCSP like me follow the steps below.

1. Create configmap
   kubectl create secret tls foo-bar --key foo-bar-privkey.key --cert foo-bar-cert.crt
2. Update the Nginx ingress deployment with the following value. (very important)
   --enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
3. To confirm OCSP is enabled check the following.
   kubectl exec -it nginx-ingress-controller-xxx sh

$cat /etc/nginx/nginx.conf |grep ssl
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/ingress-controller/ssl/foo-bar-privkey.pem;
ssl_certificate_key /etc/ingress-controller/ssl/foo-bar-cert.pem;
ssl_trusted_certificate /etc/ingress-controller/ssl/foo-bar-cert.pem;

4. Verify OCSP by using following command.
   openssl s_client -showcerts -servername foo.bar -connect foo.bar:443 -status

OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response"

Notes:

1. Make sure the certificate contains "server certificate" and "intermediate certificate". If you are using Let's encrypt fullchain.pem is sufficient.
2. https://kubernetes.github.io/ingress-nginx/user-guide/cli-arguments/
3. You will see ssl_stapling only when OCSP enabled correctly.

[logopk]

Hi,

If any of you had an issue in enabling OCSP like me follow the steps below.

...

2. Update the Nginx ingress deployment with the following value. (very important)
   --enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
   ...

could you please explain where I can add these "args" ? Apparently I cannot add these to a running nginx-ingress-controller in minikube (as an addon).

Thank you for your support.

Peter

[anoop-p]

Hi,

If any of you had an issue in enabling OCSP like me follow the steps below.

...

1. Update the Nginx ingress deployment with the following value. (very important)
   --enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
   ...

could you please explain where I can add these "args" ? Apparently I cannot add these to a running nginx-ingress-controller in minikube (as an addon).

Thank you for your support.

Peter

It needs to be added in nginx-ingress-deployment.yaml file. snippet of configuration.

containers: - name: nginx-ingress-controller image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1 args: - /nginx-ingress-controller - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - --configmap=$(POD_NAMESPACE)/nginx-configuration - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - --publish-service=$(POD_NAMESPACE)/ingress-nginx - --annotations-prefix=nginx.ingress.kubernetes.io - --enable-dynamic-certificates=false - --enable-ssl-chain-completion=true - --default-ssl-certificate=$(POD_NAMESPACE)/star-example-cert

[logopk]

Well I don't have this file (as I installed this with "minikube addons enable ingress")...