I’m using a certificate issued by letsencrypt (as a client cert) and the chain looks like
LEAF
Intermediate (E6)
Root (X1)
The nginx server is configured for mTLS and with OCSP on, something like this
ssl_client_certificate /<file that contains both E6 and X1>;
ssl_verify_client on;
ssl_verify_depth 3;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate <same as ssl_client_certificate>;
ssl_ocsp on;
Now if I try connect to this server there will be a “400 The SSL certificate error” response (the internal error code is 495). Digging into the nginx debug logs a bit it looks like nginx first successfully does OCSP check on the leaf and then continues down in the chain to check the Intermediate (letsencrypt E6). However this fails because that certificate does not contain any OCSP URI under AIA. What is the expected behavior here, when using ssl_ocsp on and there are intermediate ca’s without OCSP URI (even if they are included in ssl_client_certificate)?
If I change ssl_ocsp leaf; the response will be fine.
Running these versions and configure arguments.
nginx version: nginx/1.29.0
built by gcc 12.2.0 (Debian 12.2.0-14)
built with OpenSSL 3.0.15 3 Sep 2024
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_ssl_module --with-pcre --with-http_gzip_static_module --with-http_stub_status_module --with-http_image_filter_module --with-file-aio --with-ipv6 --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --add-module=nginx-auth-ldap --with-debug