Feature Request: allow overriding OCSP responder

[razonyang]

Hi, I am getting stuck in OCSP stapling, since ocsp.int-x3.letsencrypt.org is not accessible/reachable from my location(China).

I hope Caddy can provide features similar to Nginx ssl_ocsp_responder for overriding OCSP responder, so that I can set up a proxy for it.

[francislavoie]

I think this would need to be implemented in https://github.com/caddyserver/certmagic actually, and if done there, an option would then need to be exposed in Caddy.

[mholt]

Yep, it'll be implemented in CertMagic then exposed here in Caddy.

Is there ever a reason that the overrides would be per-site? i.e. would configuring a global mapping of OCSP responder -> custom OCSP responder be a good solution?

[razonyang]

Nginx supports both of them, it would be nice to have them all.

[mholt]

@razonyang How does it support both? From what I can see at http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ocsp_responder, it looks like you just specify a single responder for all certs in that context.

[razonyang]

@mholt As the documentation mentioned, ssl_ocsp_responder can be placed in http or server context(tested locally).

But overrides OCSP responder globally is good enough for my use case.

[mholt]

I saw that, but there can be different OCSP servers for different CAs, regardless of the server or site that's being served. That's why I am asking: nginx's implementation doesn't really make sense. It feels like the right way to do this is to map one OCSP server to another, rather than assuming one OCSP server for a whole batch of certificates. And I think that mapping could be global.

[razonyang]

It seems no more feedback come up. As you said, global mapping is good enough.

[wizicer]

I'm suffered from this OCSP timeout issue too, just because my server is located in China.
I just hope the configure reload process could let site online before checking OCSP timeout, at least not sequentially timeout. in my case, my 12 sites configuration need at least 12*30s=6min to available to my visitors.

[mholt]

I've implemented this in CertMagic, now to expose configuration parameters in Caddy.

[mholt]

Implemented in 09432ba . To simply disable all OCSP stapling:

{
    ocsp_stapling off
}

will do the trick in the Caddyfile. With JSON config, you can do the same but also override responder URLs by mapping the embedded ones to their replacements. (See code for now; docs will be updated when released.)