Nginx: ssl_stapling_file error while following your documentation

[HansVanEijsden]

Hi there,

First of all, thanks for your beautiful tool. Currently I'm migrating thousands of websites from acme-tiny to acmebot because of the dual certificates management (ECDSA and RSA) and the OCSP must-staple functionality. Great!

I followed your examples in the documentation but when I follow the config exactly then Nginx gives me an error:
[emerg] 1097#1097: "ssl_stapling_file" directive is duplicate in /opt/nginx/conf/sites/airplayradio.conf:43

Here's the relevant part of the config:

	listen   443 http2; ## listen for ipv4; this line is default and implied
	listen   [::]:443 http2; ## listen for ipv6

	server_name www.airplayradio.nl airplayradio.nl;

        ssl_stapling               on;
        ssl_stapling_verify        on;

        ssl_ct on;

        ssl_certificate         /etc/ssl/certs/airplayradio.nl.ecdsa.pem;
        ssl_certificate_key     /etc/ssl/private/airplayradio.nl.ecdsa.key;
        ssl_ct_static_scts      /etc/ssl/scts/airplayradio.nl/ecdsa;
        ssl_stapling_file       /etc/ssl/ocsp/airplayradio.nl.ecdsa.ocsp;

        ssl_certificate         /etc/ssl/certs/airplayradio.nl.rsa.pem;
        ssl_certificate_key     /etc/ssl/private/airplayradio.nl.rsa.key;
        ssl_ct_static_scts      /etc/ssl/scts/airplayradio.nl/rsa;
        ssl_stapling_file       /etc/ssl/ocsp/airplayradio.nl.rsa.ocsp;

#     ssl_trusted_certificate /etc/ssl/certs/airplayradio.nl+root.rsa.pem;

        ssl_dhparam             /etc/ssl/params/airplayradio.nl_param.pem;
        ssl_ecdh_curve secp384r1;

        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
        include /etc/ssl/hpkp/airplayradio.nl.nginx;

As soon as I comment one of the ssl_stapling_file directives the errors are gone. I have the same problems with multiple ssl_trusted_certificate declarations.

Linux vps 4.14.0-0.bpo.3-amd64 #1 SMP Debian 4.14.13-1~bpo9+1 (2018-01-14) x86_64 GNU/Linux

nginx version: nginx/1.13.9
built by gcc 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) 
built with OpenSSL 1.1.0g  2 Nov 2017
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --user=www-data --group=www-data --with-http_v2_module --with-http_ssl_module --with-http_v2_hpack_enc --with-openssl=/usr/local/src/openssl-1.1.0g --with-openssl-opt='enable-ec_nistp_64_gcc_128 -DCFLAGS='-march=native -O3 -flto -fuse-linker-plugin'' --with-pcre-jit --with-file-aio --with-http_gzip_static_module --with-http_flv_module --with-http_geoip_module --with-http_mp4_module --with-http_realip_module --with-http_stub_status_module --with-threads --with-libatomic --with-zlib=/usr/local/src/zlib-1.2.8 --with-zlib-opt='-O3 -march=native -flto -fuse-linker-plugin' --add-module=/usr/local/src/headers-more-nginx-module --add-module=/usr/local/src/echo-nginx-module --add-module=/usr/local/src/ngx_http_substitutions_filter_module --add-module=/usr/local/src/srcache-nginx-module --add-module=/usr/local/src/redis2-nginx-module --add-module=/usr/local/src/ngx_http_redis-0.3.8 --add-module=/usr/local/src/ngx_devel_kit --add-module=/usr/local/src/set-misc-nginx-module --add-module=/usr/local/src/nginx-ct --with-cc-opt='-DTCP_FASTOPEN=23 -march=native -flto -O3 -fuse-linker-plugin -Wno-error=strict-aliasing -fstack-protector-strong -D_FORTIFY_SOURCE=2' --with-ld-opt='-lrt -z relro -fstack-protector-strong'

I tried to do my homework as good as possible and found this Nginx ticket: https://trac.nginx.org/nginx/ticket/990 (I tried the mentioned patch at the bottom but it doesn't apply completely on my Nginx, it finishes with errors).
Am I missing something? Thanks!

[plinss]

Hi Hans, thanks for the kind words. You're not missing anything, Nginx currently doesn't allow multiple OCSP staple files. The patch you found was submitted by me and hasn't been accepted yet (I was a bit optimistic in the instructions about when it might get accepted). I expect it needs to be modified to work with the current version, and does need a bit of work before it's fully done (there is also some controversy about how the Nginx configuration doesn't really have the proper mechanism to associate additional data, like the OCSP staples, with the proper certificate. The current patch relies on them being declared in the same order).

Unfortunately, until Nginx is fixed, using OCSP staple files doesn't really work with multiple certificates, as a single staple file will be sent with both certificates, and it will be wrong for one of them. I recommend you either let Nginx fetch the staples (which it does lazily), or put a load balancer like HAProxy in front of it that can deal with the OCSP files properly.

I did recently add the verification function to help with this problem. If you specify port 443 verifications, acmebot will connect to each virtual host and request the OCSP staple, retrying until it is received. So at the least it will force Nginx to fetch the staples right away. I also don't recommend you use Must-Staple until the Nginx behavior is fixed (unless you can live with staple failures for the few seconds until the verification is done after a reload, and you run acmebot right after launching Nginx).

At some point soon I'm going to update that patch and take another crack at getting it landed. I'll leave this issue open as a reminder (and notice to you when it gets done).