Oops, sorry about that. I'll wait for an answer from upstream for
DISTFILES icons.
On 6/26/22, Stuart Henderson <stu@spacehopper.org> wrote:
> binaries in cvs are not a great idea
>
> On 2022/06/26 12:26, Horia Racoviceanu wrote:
>> Changed the acme-client cron job to run daily, and chained ocspcheck
>> and relayd reload.
>>
>> ~ ~ * * * acme-client honk.example.com && ocspcheck -No
>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>>
>> Added "favicon.ico" and "icon.png" in the port $FILESDIR to be
>> installed into $EXAMPLESDIR and @sample into /var/honk
>>
>> I haven't used DISTFILES because the icons are located on a private
>> honk instance, not in the distribution repo. I sent a request upstream
>> to include "favicon.ico" and "icon.png" in the honk repo so they'll
>> install by default.
>>
>> Thank you both! Sorry for the long delay, I've been testing the new cron
>> job.
>>
>> On 6/20/22, Stuart Henderson <stu@spacehopper.org> wrote:
>> > On 2022/06/19 13:28, Horia Racoviceanu wrote:
>> >> From my tests, The OCSP response is valid for a few hours e.g.
>> >>
>> >> Using http to host ocsp.buypass.com, port 80, path /
>> >> OCSP response validated from ocsp.buypass.com
>> >> This Update: Sun Jun 19 09:55:11 2022
>> >> Next Update: Sun Jun 19 17:55:11 2022
>> >>
>> >> This is why I don't use "&&" to restart relayd when there's a new OCSP
>> >> response without a certificate renewal or vice versa.
>> >>
>> >> relayd could restart only when there's a new OCSP response but I
>> >> haven't tested it e.g.
>> >>
>> >> ~ * * * * acme-client honk.example.com; ocspcheck -No \
>> >> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl restart relayd
>> >>
>> >> Or I could separate acme-client and ocspcheck cron jobs and use "&&"
>> >> on both but I'm afraid there may be a few minutes of stale OCSP
>> >> response e.g.
>> >>
>> >> ~ * * * * acme-client honk.example.com && rcctl restart relayd
>> >> ~ * * * * ocspcheck -No ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt}
>> >> && rcctl restart relayd
>> >>
>> >> What do you think?
>> >
>> > acme-client doesn't need to run every hour. Once a day is plenty.
>> > You do really want to update OCSP if a cert has been renewed.
>> >
>> > Isn't "reload" enough? A full restart of relayd is rather disruptive
>> > especially if it's running multiple services.
>> >
>> > Looking at the existing pkg-readme:
>> >
>> > : Icon and favicon
>> > : ----------------
>> > :
>> > : honk# mkdir ${VARBASE}/www/htdocs/honk
>> > : honk# ftp -o ${VARBASE}/www/htdocs/honk/icon.png \
>> > : https://honk.tedunangst.com/icon.png
>> > : honk# ftp -o ${VARBASE}/www/htdocs/honk/favicon.ico \
>> > : https://honk.tedunangst.com/favicon.ico
>> >
>> > Why not include these in the package? Easiest way is probably to
>> > install
>> > in /usr/local/share/examples/honk and @sample into /var/www.
>> >
>> >
>
>
>
No comments:
Post a Comment