OCSP Stapling Support Not Working

[cbluth]

NGINX Ingress controller version:
quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.0

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.3", GitCommit:"2d3c76f9091b6bec110a5e63777c332469e0cba2", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:54Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.3", GitCommit:"5e53fd6bc17c0dec8434817e69b04a25d8ae0ff0", GitTreeState:"clean", BuildDate:"2019-06-06T01:36:19Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"}

Environment:
Custom/Baremetal

• Cloud provider or hardware configuration:

10 Nodes:
- 32 CPU Cores
- 64GiB RAM
- 512GiB Disk

• OS (e.g. from /etc/os-release):

NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

• Kernel (e.g. uname -a):
  Linux node-5 4.4.0-150-generic #176-Ubuntu SMP Wed May 29 18:56:26 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

• Install tools:
  Kubespray

• Others:
  Running Cert-Manager from Jetstack, version:
  quay.io/jetstack/cert-manager-controller:v0.10.0

What happened:
Enabled arguments:
--enable-dynamic-certificates=false
--enable-ssl-chain-completion=true
Full deployment here: https://gist.github.com/cbluth/576e4be40abccd4f47fe2cebf151b82b#file-nginx-ingress-deployment-yaml

The OCSP response is not present, see here:

echo quit | openssl s_client -connect "${MY_HOSTNAME}:443" -status -servername "${MY_HOSTNAME}" |& grep -A 6 OCSP\ response | grep -v "${MY_HOSTNAME}"
OCSP response: no response sent
---
Certificate chain
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

OCSP response: no response sent

$ cat /etc/nginx/nginx.conf | grep stapl
$ echo $?
1
$ 

What you expected to happen:
I expected an OCSP queries to respond with a proper OCSP response

How to reproduce it (as minimally and precisely as possible):
helm install nginx-ingress

edit deployment as seen above
helm install cert-manager
then test with openssl

Anything else we need to know:
unsure, please ask

[cbluth]

i was able to fix this issue by adding this to my kubernetes ingress manifest

    nginx.ingress.kubernetes.io/server-snippet: |
      ssl_stapling on;
      ssl_stapling_verify on;

here is a sample ingress manifest with the option enabled:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    certmanager.k8s.io/acme-challenge-type: http01
    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/server-snippet: |
      ssl_stapling on;
      ssl_stapling_verify on;
  name: test-app
spec:
  rules:
  - host: test-app.example.com
    http:
      paths:
      - backend:
          serviceName: test-app
          servicePort: 8080
        path: /
  tls:
  - hosts:
    - test-app.example.com
    secretName: test-app-tls

BUT

my question now is: is this configuration necessary? the docs arent very clear on how to enable OCSP stapling.

[aledbf]

Closing. This is expected. The SSL certificates are handled by lua, where there is no support for OCSP.

[aledbf]

nginx.ingress.kubernetes.io/server-snippet: |
ssl_stapling on;
ssl_stapling_verify on;

This works because your certificate chain is complete.