Nginx Ingress controller and OCSP Must Staple

7/27/2018

Recently, I got a certificate from Let's Encrypt with the Must Staple extension on it, requiring a OCSP response to be sent with the certificate. I am using the kubernetes ingress-nginx(on Google Cloud) controller for TLS. The certificate is working great on Chrome(since it doesn't use OCSP), but it's failing on all other browsers because a OCSP response is not being stapled to it. The certificate I am using for the public key is the full certificate chain from Let's Encrypt. I'm not sure why nginx isn't attaching an OCSP response even though kubernetes supports OCSP.

-- Jack Withes
google-kubernetes-engine
kubernetes
kubernetes-ingress
nginx
ocsp

1 Answer

7/28/2018

Have a look here: https://github.com/kubernetes/ingress-nginx/blob/master/cmd/nginx/flags.go#L133-L137

It seems you either haven't got the full chain like you expected, or you're missing the "Authority Information Access" X.509 v3extension"

-- jaxxstorm
Source: StackOverflow