BTW what you think about a section in the FAQ about httpd, relayd,
acme-client for all web applications.
Am 31.07.22 um 13:12 schrieb Stuart Henderson:
> 1. The staple needs to be updated periodically
>
> 2. If the certificate is updated the staple needs to be updated too
>
> 3. If either the certificate or the staple are changed, relayd needs a
> reload
>
> To be honest I'm not sure if it really belongs in the doc for some
> random port in www, this applies to anyone using relayd to front-end a
> web application.
>
> --
> Sent from a phone, apologies for poor formatting.
>
>
> On 31 July 2022 02:16:13 Christoph Roland Winter <me@the.floof.rocks> wrote:
>
>> Beside of this question, the idea of OCSP is
>>
>> By turning on OCSP Stapling, you can improve the performance of your
>> website, provide better privacy protections for your users, and help
>> Let's Encrypt efficiently serve as many people as possible.
>>
>> https://letsencrypt.org/docs/integration-guide/
>>
>> Is it better to update the OCSP file before it expires or update it only
>> seldom (in this case the question is, whether it is not better to don't
>> use OCSP).
>>
>> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
>>> I've switched the cron job to chaining acme-client && ocspcheck on
>>> June 20.
>>> Both the certificate and the OCSP response were last updated on June 20.
>>>
>>> # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
>>> ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
>>> 05:46:59 2022
>>>
>>> relayd and Firefox do not complain.
>>>
>>> ssllabs.com reports:
>>>
>>> OCSP Must Staple No
>>> OCSP stapling Yes
>>> OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
>>> 2022
>>>
>>> Can the OCSP STAPLING ERROR be ignored?
>>>
>>> On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>>> Welcome.
>>>>
>>>> The question is then, why the OCSP staple file expires after hours or 7
>>>> days and the certificate will be renewed after 60 days following man 1
>>>> acme-client
>>>>
>>>> -F Force certificate renewal, even if it has more than 30 days
>>>> validity.
>>>>
>>>> It can't be the idea to have so long a expired OCSP file (saw Firefox in
>>>> the past complain when a outdated OCSP file exists). So, if you replace
>>>> the first && with a ; nothing will change as the last && to reload
>>>> relayd will only happen if the cert or the OCSP file (or both) was
>>>> renewed and if booth are up to date nothing will happen.
>>>>
>>>> Just my 2 cents.
>>>>
>>>> Regards,
>>>>
>>>>
>>>> Christoph
>>>>
>>>> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
>>>>> Thanks for testing!
>>>>>
>>>>> As Stuart Henderson mentioned,
>>>>>> You do really want to update OCSP if a cert has been renewed.
>>>>>
>>>>> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I have only kept the first message and was some time not subscribed to
>>>>>> the list - lets see, where the message ends.
>>>>>>
>>>>>> I tried the latest patch from
>>>>>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
>>>>>> worked
>>>>>> fine using
>>>>>>
>>>>>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
>>>>>> and the
>>>>>> -current ports tree using amd64.
>>>>>>
>>>>>> Maybe I am wrong but the crontab from the above patch
>>>>>>
>>>>>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
>>>>>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>>>>>>
>>>>>> needs to be modified. The first && must be replaced with ; (or splited
>>>>>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
>>>>>> days, as acme-client renews the certificate only 30 days before it
>>>>>> expires (checked with the -v option and as nothing happened before, &&
>>>>>> stops at this point). BTW my ocsp file with the above command is valid
>>>>>> for 7 days.
>>>>>>
>>>>>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
>>>>>> Using http to host r3.o.lencr.org, port 80, path /
>>>>>> OCSP response validated from r3.o.lencr.org
>>>>>> This Update: Thu Jul 28 15:00:00 2022
>>>>>> Next Update: Thu Aug 4 14:59:58 2022
>>>>>>
>>>>>> The only thing I did was using the /etc/examples/acme-client.conf
>>>>>> file,
>>>>>> added my email and added the domain blocks.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> Christoph
>>>>>>
>>>>>>
>>>>>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
>>>>>>> Upgrade to v0.9.8
>>>>>>> - Add MESSAGE
>>>>>>> - Update README
>>>>>>>
>>>>>>> changelog
>>>>>>>
>>>>>>> === 0.9.8 Tentative Tentacle
>>>>>>>
>>>>>>> + Switch database to WAL mode.
>>>>>>>
>>>>>>> - go version 1.16 required.
>>>>>>>
>>>>>>> + Specify banner: image in profile.
>>>>>>>
>>>>>>> + Update activity compatibility with mastodon.
>>>>>>>
>>>>>>> - Signed fetch.
>>>>>>>
>>>>>>> + Better unicode hashtags.
>>>>>>>
>>>>>>> + Some more configuration options.
>>>>>>>
>>>>>>> + Some UI improvements to web interface.
>>>>>>>
>>>>>>> + Add atme class to mentions
>>>>>>>
>>>>>>> + Improvements to the mastodon importer.
>>>>>>>
>>>>>>> + More hydration capable pages.
>>>>>>>
>>>>>>> + Support for local.js.
>>>>>>>
>>>>>>> + Better error messages for timeouts.
>>>>>>>
>>>>>>> + Some improved html and markdown.
>>>>>>
>>>>
>
No comments:
Post a Comment