由于https使用的是 Let’s Encrypt 签发的免费证书,部署的环境是在企业内部网络,完全与外网隔离,无法联网。
DNS污染问题
- 修改hosts, 避免DNS污染
1
2
3
|
23.32.3.72 ocsp.int-x3.letsencrypt.org
|
请求OCSP响应
下面是完整的响应信息:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| $ openssl ocsp -issuer ca.cer -cert website.cer -no_nonce -text \
-url http://ocsp.int-x3.letsencrypt.org -text -respout ocsp_stapling_file
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 04470F9AA9CA09D7D2AE20F5C7056964194C
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Jul 2 19:16:00 2020 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 04470F9AA9CA09D7D2AE20F5C7056964194C
Cert Status: good
This Update: Jul 2 19:00:00 2020 GMT
Next Update: Jul 9 19:00:00 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
0c:d4:98:31:05:89:ea:40:21:4a:71:be:81:f9:cf:0b:be:c3:
8e:a9:ed:3f:73:fe:a7:65:c2:64:23:a7:c3:02:1a:7b:89:db:
6f:26:20:01:a7:98:1f:87:8f:61:bd:74:59:83:a1:10:d2:75:
b5:7e:ea:08:2d:6e:e0:44:99:38:38:02:43:e1:3b:3b:54:15:
9b:8a:a8:b2:01:92:04:34:81:8d:87:7b:86:c4:84:ba:8c:09:
a1:bb:fd:3a:2b:a1:8a:bd:e7:f9:22:a6:0c:00:83:29:57:39:
ef:43:0e:28:2c:0c:47:50:4d:2f:a4:68:e1:93:35:63:d3:1b:
55:f0:67:a2:c0:d2:6f:6e:19:3d:a0:e9:94:3a:03:6c:11:54:
80:ba:8b:56:d8:d0:c1:00:ca:e3:6d:20:aa:9e:f8:e1:d5:28:
90:ab:21:1f:64:c4:ef:59:89:5a:30:87:c4:23:cd:e1:77:6f:
a4:f5:3c:58:a2:1e:f9:5e:e1:41:9f:1a:1f:26:64:68:18:68:
4c:30:1a:5a:65:26:6a:ec:96:45:1d:06:01:e8:e1:42:93:cc:
43:c8:b3:fd:43:20:ac:6c:c2:3c:e1:c0:29:4c:6f:dc:43:18:
27:87:d2:50:8a:ed:47:2b:de:45:cc:ea:45:a6:ec:af:20:f1:
d7:ab:54:32
_.mes.haorizi.cn.cer: good
This Update: Jul 2 19:00:00 2020 GMT
Next Update: Jul 9 19:00:00 2020 GMT
Response verify OK
|
OCSP响应有效期
具体的坑就在这里: 一次OCSP响应有效期为7天
1
2
| This Update: Jul 2 19:00:00 2020 GMT
Next Update: Jul 9 19:00:00 2020 GMT
|
通过将OCSP响应保持为文件,配置到Nginx中,从而避免进行在线对证书进行验证; 对于能够联网的nginx服务器来说,一次OCSP响应有效期为7天是没有问题的,到期之后再一次进行更新即可;可我们的服务器是在企业内网,无法连接外网,这就导致了在IE浏览器访问慢的问题。
在部署Nginx时,采取了一系列优化手段去提升浏览器访问网站首页的速度,此时访问速度真是快的飞起,给人一种秒开的感觉,然后就开心的下班了。问题发生在七天后,此时的OCSP响应已经过期,现在用IE浏览器去打开,真是比蜗牛还慢;但是如果用谷歌浏览器去访问,依然是快的飞起;使用火狐浏览器,直接无法访问,提示 SEC_ERROR_OCSP_OLD_RESPONSE OCSP响应信息过期。