Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
> Thanks for testing!
>
> As Stuart Henderson mentioned,
>> You do really want to update OCSP if a cert has been renewed.
>
> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>> Hello,
>>
>> I have only kept the first message and was some time not subscribed to
>> the list - lets see, where the message ends.
>>
>> I tried the latest patch from
>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
>> fine using
>>
>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
>> -current ports tree using amd64.
>>
>> Maybe I am wrong but the crontab from the above patch
>>
>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>>
>> needs to be modified. The first && must be replaced with ; (or splited
>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
>> days, as acme-client renews the certificate only 30 days before it
>> expires (checked with the -v option and as nothing happened before, &&
>> stops at this point). BTW my ocsp file with the above command is valid
>> for 7 days.
>>
>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
>> Using http to host r3.o.lencr.org, port 80, path /
>> OCSP response validated from r3.o.lencr.org
>> This Update: Thu Jul 28 15:00:00 2022
>> Next Update: Thu Aug 4 14:59:58 2022
>>
>> The only thing I did was using the /etc/examples/acme-client.conf file,
>> added my email and added the domain blocks.
>>
>> Regards,
>>
>>
>> Christoph
>>
>>
>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
>>> Upgrade to v0.9.8
>>> - Add MESSAGE
>>> - Update README
>>>
>>> changelog
>>>
>>> === 0.9.8 Tentative Tentacle
>>>
>>> + Switch database to WAL mode.
>>>
>>> - go version 1.16 required.
>>>
>>> + Specify banner: image in profile.
>>>
>>> + Update activity compatibility with mastodon.
>>>
>>> - Signed fetch.
>>>
>>> + Better unicode hashtags.
>>>
>>> + Some more configuration options.
>>>
>>> + Some UI improvements to web interface.
>>>
>>> + Add atme class to mentions
>>>
>>> + Improvements to the mastodon importer.
>>>
>>> + More hydration capable pages.
>>>
>>> + Support for local.js.
>>>
>>> + Better error messages for timeouts.
>>>
>>> + Some improved html and markdown.
>>
No comments:
Post a Comment