xf.is Blog   Archives  About

OCSP stapling failes in nginx on Fedora 28 with permission denied

2018-06-22

I noticed that my nginx instance was not stapling OCSP responses. In nginx error.log I noticed:

connect() to 72.247.177.190:80 failed (13: Permission denied) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 72.247.177.190:80, certificate: “/path/to/fullchain.pem”

Running

ausearch -m AVC -ts today

yielded

type=AVC msg=audit(1529680797.942:639): avc: denied { name_connect } for pid=5011 comm=“nginx” dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

This is because nginx doesn’t have network connect permission by default in selinux enforcing mode. Fix it by running

setsebool httpd_can_network_connect 1 -P

and OCSP stapling should work.