由于https使用的是 Let’s Encrypt 签发的免费证书,部署的环境是在企业内部网络,完全与外网隔离,无法联网。
DNS污染问题
- 修改hosts, 避免DNS污染
1 2 3
|
23.32.3.72 ocsp.int-x3.letsencrypt.org
|
请求OCSP响应
下面是完整的响应信息:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
| $ openssl ocsp -issuer ca.cer -cert website.cer -no_nonce -text \ -url http://ocsp.int-x3.letsencrypt.org -text -respout ocsp_stapling_file
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 04470F9AA9CA09D7D2AE20F5C7056964194C OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Jul 2 19:16:00 2020 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1 Serial Number: 04470F9AA9CA09D7D2AE20F5C7056964194C Cert Status: good This Update: Jul 2 19:00:00 2020 GMT Next Update: Jul 9 19:00:00 2020 GMT
Signature Algorithm: sha256WithRSAEncryption 0c:d4:98:31:05:89:ea:40:21:4a:71:be:81:f9:cf:0b:be:c3: 8e:a9:ed:3f:73:fe:a7:65:c2:64:23:a7:c3:02:1a:7b:89:db: 6f:26:20:01:a7:98:1f:87:8f:61:bd:74:59:83:a1:10:d2:75: b5:7e:ea:08:2d:6e:e0:44:99:38:38:02:43:e1:3b:3b:54:15: 9b:8a:a8:b2:01:92:04:34:81:8d:87:7b:86:c4:84:ba:8c:09: a1:bb:fd:3a:2b:a1:8a:bd:e7:f9:22:a6:0c:00:83:29:57:39: ef:43:0e:28:2c:0c:47:50:4d:2f:a4:68:e1:93:35:63:d3:1b: 55:f0:67:a2:c0:d2:6f:6e:19:3d:a0:e9:94:3a:03:6c:11:54: 80:ba:8b:56:d8:d0:c1:00:ca:e3:6d:20:aa:9e:f8:e1:d5:28: 90:ab:21:1f:64:c4:ef:59:89:5a:30:87:c4:23:cd:e1:77:6f: a4:f5:3c:58:a2:1e:f9:5e:e1:41:9f:1a:1f:26:64:68:18:68: 4c:30:1a:5a:65:26:6a:ec:96:45:1d:06:01:e8:e1:42:93:cc: 43:c8:b3:fd:43:20:ac:6c:c2:3c:e1:c0:29:4c:6f:dc:43:18: 27:87:d2:50:8a:ed:47:2b:de:45:cc:ea:45:a6:ec:af:20:f1: d7:ab:54:32 _.mes.haorizi.cn.cer: good This Update: Jul 2 19:00:00 2020 GMT Next Update: Jul 9 19:00:00 2020 GMT Response verify OK
|
OCSP响应有效期
具体的坑就在这里: 一次OCSP响应有效期为7天
1 2
| This Update: Jul 2 19:00:00 2020 GMT Next Update: Jul 9 19:00:00 2020 GMT
|
通过将OCSP响应保持为文件,配置到Nginx中,从而避免进行在线对证书进行验证; 对于能够联网的nginx服务器来说,一次OCSP响应有效期为7天是没有问题的,到期之后再一次进行更新即可;可我们的服务器是在企业内网,无法连接外网,这就导致了在IE浏览器访问慢的问题。
在部署Nginx时,采取了一系列优化手段去提升浏览器访问网站首页的速度,此时访问速度真是快的飞起,给人一种秒开的感觉,然后就开心的下班了。问题发生在七天后,此时的OCSP响应已经过期,现在用IE浏览器去打开,真是比蜗牛还慢;但是如果用谷歌浏览器去访问,依然是快的飞起;使用火狐浏览器,直接无法访问,提示 SEC_ERROR_OCSP_OLD_RESPONSE
OCSP响应信息过期。