Some 404 pages do not display XenForo error pages, instead just showing the nginx error

[rdn]

OK i have this now:
ssl_certificate /unified.crt; (example.com.crt + intermediate.crt)
ssl_trusted_certificate /trusted.crt; (root.pem + intermediate.crt).

openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP

# openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer
        Subject: C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer
                OCSP Signing, OCSP No Check

 

[Floren]

Perfect, the chain issues are fixed. Is ssl_stapling_verify on?
Run from your console:

$ openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP

to see my server response.

 

[rdn]

Here's my config now:

server {
    server_name phcorner.net *.phcorner.net;
    return 301 https://www.phcorner.net$request_uri;
}

server {
    listen 192.99.1.216:443 ssl spdy default_server;
    server_name www.phcorner.net;

    # startssl
    ssl_certificate /usr/local/nginx/conf/ssl/phcorner_net_startssl/ssl-unified.crt;
    ssl_certificate_key /usr/local/nginx/conf/ssl/phcorner_net_startssl/www_phcorner_net.key;
    ssl_stapling_responder  http://ocsp.startssl.com/sub/class1/server/ca/;
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/phcorner_net_startssl/ssl-trusted.crt;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout  10m;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!kEDH:!EDH:!CAMELLIA;
    ssl_prefer_server_ciphers  on;
    add_header Alternate-Protocol 443:npn-spdy/2;

    # enable ocsp stapling
       ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=10m;
    resolver_timeout 10s;
   
  # custom added
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  add_header  X-Content-Type-Options "nosniff";
  add_header X-Frame-Options DENY;

  .......

openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP

 openssl s_client -connect axivo.com:443 -status -tls1_2 | grep OCSP
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", OU = http://certificates.starfieldtech.com/repository, CN = Starfield Secure Certification Authority, serialNumber = 10688435
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
                TLS Web Server Authentication, OCSP Signing
            OCSP No Check:

openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP

# openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer
        Subject: C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer
                OCSP Signing, OCSP No Check

 

[Floren]

Did you looked at your X509v3 key usage? Run your check without a grep.

       X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, OCSP Signing
            ...
            OCSP No Check:

            X509v3 CRL Distribution Points:
            ...

 

[rdn]

Did you looked at your X509v3 key usage? Run your check without a grep.

       X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, OCSP Signing
            ...
            OCSP No Check:

            X509v3 CRL Distribution Points:
            ...

What do you mean?
This?

 openssl s_client -connect phcorner.net:443 -status -tls1_2 | OCSP
-bash: OCSP: command not found
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
114144884770472:error:09072007:PEM routines:PEM_write_bio:BUF lib:pem_lib.c:651:

 

[p4guru]

Is common sense, OCSP No Check means there is no verification performed. You can also look at OpenSSL documentation.

now even I am confused with what you're saying as your domain also has OCSP No Check listed and from what I read most delegate certs will also list OCSP No Check as well

from startssl policy.pdf www.startssl.com/policy.pdf‎

7.5 OCSP Profile
Online Certificate Status Protocol responders conforms to RFC 2560.

Basic Constraint: critical, CA:FALSE
Key Usage: Digital Signature, Key Encipherment, Key Agreement
Extended Key Usage: OCSP Signing, No Check

does that mean the following is a valid response ?

OCSP Signing
OCSP No Check:

 

[Floren]

now even I am confused with what you're saying as your domain also has OCSP No Check listed and from what I read most delegate certs will also list OCSP No Check as well.

I have very basic knowledge in cryptography, so anyone please correct me if I'm wrong. From my understanding, X509 (version 3) is just a standard for public keys and has optional extensions. The extensions inform a specific usage of the certificate, like basic constraints, key usage, identifier, etc. In our case, OCSP (Online Certificate Status Protocol) No Check inform what the client MUST do in case the certificate is revoked. Since there are no directives, nothing is done. A better example on my certificates, the Extended Key Usage tells clients that is important to perform TLS Web Server Authentication and OCSP Signing, but does not say anything about TLS Web Client Authentication, so the client (i.e browser) can do whatever it likes when it comes the time to deal with public keys.

Let's compare the 2 certificates:

$ openssl s_client -connect axivo.com:443 -status -tls1_2
...
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, OCSP Signing
            X509v3 Subject Key Identifier:
                1A:6E:28:0A:41:4B:25:46:8E:5B:42:4D:B5:6B:9D:F3:B4:B4:EF:9D
            X509v3 Authority Key Identifier:
                keyid:49:4B:52:27:D1:1B:BC:F2:A1:21:6A:62:7B:51:42:7A:8A:D7:D5:56

            OCSP No Check:

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.starfieldtech.com/starfieldextendedissuing.crl

            X509v3 Certificate Policies:
                Policy: 2.16.840.1.114414.1.7.23.1
                  CPS: http://certs.starfieldtech.com/repository/
...

$ openssl s_client -connect phcorner.net:443 -status -tls1_2
...
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                OCSP Signing, OCSP No Check
            X509v3 Subject Key Identifier:
                45:E0:A3:66:95:41:4C:5D:D4:49:BC:00:E3:3C:DC:DB:D2:34:3E:17
            X509v3 Authority Key Identifier:
                keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45

            X509v3 Issuer Alternative Name:
                URI:http://www.startssl.com/
...

For phcorner.net, we have specific Extended Key Usage instructions: perform OCSP signing but don't perform OCSP verification. Further more, OCSP No Check section is missing due to the previous extension conditions.

This is where I'm not sure: what happens with the client when the above conditions are not met? If anyone has some experience in this area, please let us know. I believe the ssl_stapling_verify directive in Nginx is directly related to extended key use. If OCSP Signing is missing, no real verification is performed?

 

[p4guru]

Yeah no SSL expert either.. where's one when you need them ?

If you use online checker at https://getssl.me/en/ssl-checker phcorner.net does get the TLS Web Server Authentication https://getssl.me/en/ssl-checker/phcorner.net

Wonder if if depends on SSL cert provider as well as type of certificate ?

I use both startssl non-wildcard and alphassl wildcard and with nginx and ocsp stapling verify enabled I get different results for different certificates despite setting them up on different nginx servers using exact same process and configuration

for free startssl non-wildcard

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = IL, O = StartCom Ltd. (Start Commercial Limited), CN = StartCom Class 1 Server OCSP Signer
    Produced At: Jan  7 14:28:20 2014 GMT
--
            Not After : Feb  1 09:35:45 2014 GMT
        Subject: C=IL, O=StartCom Ltd. (Start Commercial Limited), CN=StartCom Class 1 Server OCSP Signer
        Subject Public Key Info:
--
            X509v3 Extended Key Usage:
                OCSP Signing, OCSP No Check
            X509v3 Subject Key Identifier:

for alpha ssl wildcard

OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
--
    Response Extensions:
        OCSP Nonce:
            041084AEB205C64E3930D307A4D37AAA245
--
            Not After : Feb 19 10:25:23 2014 GMT
        Subject: O=AlphaSSL, CN=AlphaSSL CA - G2 OCSP responder - 1/serialNumber=20131119105000
        Subject Public Key Info:
--
            X509v3 Extended Key Usage:
                OCSP Signing
            OCSP No Check:

            X509v3 Subject Key Identifier:

I thought OCSP No Check is determined and controlled by CA certificate, so maybe free startssl certs aren't bothering with verification (referring back to startssl pdf policy doc for OCSP Profile) ??

from startssl policy.pdf www.startssl.com/policy.pdf‎

7.5 OCSP Profile
Online Certificate Status Protocol responders conforms to RFC 2560.

Basic Constraint: critical, CA:FALSE
Key Usage: Digital Signature, Key Encipherment, Key Agreement
Extended Key Usage: OCSP Signing, No Check

while AlphaSSL Verisign's OCSP Profile doesn't stipulate any Extended Key Usage https://www.globalsign.com/repository/GlobalSign_CP_v4.5.pdf‎

7.3 OCSP Profile
Issuer CAs may operate an Online Certificate Status Profile (OCSP) responder in compliance with RFC 2560 or RFC5019

7.3.1 Version Number(s)
Issuer CAs shall issue Version 1 OCSP responses

7.3.2 OCSP Extensions
No stipulation

Guess one way to test it is for Floren to grab a startssl free cert and set it up and see ?

 

[rdn]

Yes @Floren here it is https://www.startssl.com/?app=1

 

[rdn]

I just purchased PositiveSsl, and I got this:

 openssl s_client -connect phcorner.net:443 -status -tls1_2 | grep OCSP
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify error:num=20:unable to get local issuer certificate
verify return:0
OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

 

[HittingSmoke]

Removing this include:
include /usr/local/nginx/conf/staticfiles.conf;
Fixed this problem.

And this is staticfiles.conf content:

    location ~* \.(3gp|gif|jpg|jpeg|png|ico|wmv|avi|asf|asx|mpg|mpeg|mp4|pls|mp3|mid|wav|swf|flv|exe|zip|tar|rar|gz|tgz|bz2|uha|7z|doc|docx|xls|xlsx|pdf|iso|si)$ {
    gzip_static off;
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 90d;
    break;
        }

    location ~* \.(js)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 30d;
    break;
        }

    location ~* \.(css)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 30d;
    break;
        }

    location ~* \.(html|htm|txt)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 7d;
    break;
        }

    location ~* \.(eot|svg|ttf|woff)$ {
    #add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    access_log off;
    expires 1y;
    break;
        }

This is a solution to your problem, but it comes at a cost. This config is enabled to reduce server overhead and response times. Handling static files through your CGI handler will reduce your site's performance.

What you should do to actually fix your problem is change Nginx's 404 page in the server block like so:

error_page 404 /404.php;

That tells Nginx what to serve when a 404 error is raised.