On Mon, Aug 14, 2017 at 08:00:11AM +0200, Andreas Bartelt wrote:
> On 08/13/17 08:50, Joel Sing wrote:
> > On Friday 11 August 2017 03:31:27 [email protected] wrote:
> ...
> >
> > This should already be fixed in -current.
> >
>
> I've just tested OCSP stapling via httpd with multiple domains on current
> (all domains also resolve to the same IP address in this setup). I'm
> observing the same problem, i.e., OCSP stapling only works for the first
> domain which has been defined in httpd.conf.
I just confirmed on the latest snapshot (with the ALPN fix) that OCSP is
still broken for multiple domains. I have 2 domains test1.ggp2.com and
test2.ggp2.com. Whichever domain defines the OCSP certificate first
works fine.
eg
server "test1.ggp2.com" {
ocsp...
}
server "test2.ggp2.com" {
ocsp...
}
Then test1.ggp2.com works, and if
server "test2.ggp2.com" {
ocsp...
}
server "test1.ggp2.com" {
ocsp...
}
then test2.ggp2.com works.
The error firefox gives is:
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, which is different
than I was seeing before. Chrome now works, and ssl labs reports
"Invalid No response provided".
httpd.conf is as follows:
ext_addr="*"
server "default" {
listen on $ext_addr port 80
block return 302 "https://test1.ggp2.com$REQUEST_URI";
}
server "test1.ggp2.com" {
listen on $ext_addr port 80
alias "test2.ggp2.com"
block return 301 "https://$SERVER_NAME$REQUEST_URI";
}
server "test1.ggp2.com" {
listen on $ext_addr tls port 443
hsts {
subdomains
preload
}
tls {
certificate "/etc/ssl/acme/test1.ggp2.com.fullchain.pem"
key "/etc/ssl/acme/private/test1.ggp2.com.key"
ocsp "/etc/ssl/acme/test1.ggp2.com.der"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
server "test2.ggp2.com" {
listen on $ext_addr tls port 443
hsts {
subdomains
preload
}
tls {
certificate "/etc/ssl/acme/test2.ggp2.com.fullchain.pem"
key "/etc/ssl/acme/private/test2.ggp2.com.key"
ocsp "/etc/ssl/acme/test2.ggp2.com.der"
}
location "/.well-known/acme-challenge/*" {
root "/acme"
root strip 2
}
}
