1. The staple needs to be updated periodically
2. If the certificate is updated the staple needs to be updated too
3. If either the certificate or the staple are changed, relayd needs a reload
To be honest I'm not sure if it really belongs in the doc for some random
port in www, this applies to anyone using relayd to front-end a web
application.
--
Sent from a phone, apologies for poor formatting.
On 31 July 2022 02:16:13 Christoph Roland Winter <me@the.floof.rocks> wrote:
> Beside of this question, the idea of OCSP is
>
> By turning on OCSP Stapling, you can improve the performance of your
> website, provide better privacy protections for your users, and help
> Let's Encrypt efficiently serve as many people as possible.
>
> https://letsencrypt.org/docs/integration-guide/
>
> Is it better to update the OCSP file before it expires or update it only
> seldom (in this case the question is, whether it is not better to don't
> use OCSP).
>
> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
>> I've switched the cron job to chaining acme-client && ocspcheck on June 20.
>> Both the certificate and the OCSP response were last updated on June 20.
>>
>> # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
>> ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20 05:46:59 2022
>>
>> relayd and Firefox do not complain.
>>
>> ssllabs.com reports:
>>
>> OCSP Must Staple No
>> OCSP stapling Yes
>> OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC 2022
>>
>> Can the OCSP STAPLING ERROR be ignored?
>>
>> On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>> Welcome.
>>>
>>> The question is then, why the OCSP staple file expires after hours or 7
>>> days and the certificate will be renewed after 60 days following man 1
>>> acme-client
>>>
>>> -F Force certificate renewal, even if it has more than 30 days
>>> validity.
>>>
>>> It can't be the idea to have so long a expired OCSP file (saw Firefox in
>>> the past complain when a outdated OCSP file exists). So, if you replace
>>> the first && with a ; nothing will change as the last && to reload
>>> relayd will only happen if the cert or the OCSP file (or both) was
>>> renewed and if booth are up to date nothing will happen.
>>>
>>> Just my 2 cents.
>>>
>>> Regards,
>>>
>>>
>>> Christoph
>>>
>>> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
>>>> Thanks for testing!
>>>>
>>>> As Stuart Henderson mentioned,
>>>>> You do really want to update OCSP if a cert has been renewed.
>>>>
>>>> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>>>> Hello,
>>>>>
>>>>> I have only kept the first message and was some time not subscribed to
>>>>> the list - lets see, where the message ends.
>>>>>
>>>>> I tried the latest patch from
>>>>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
>>>>> fine using
>>>>>
>>>>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
>>>>> -current ports tree using amd64.
>>>>>
>>>>> Maybe I am wrong but the crontab from the above patch
>>>>>
>>>>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
>>>>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>>>>>
>>>>> needs to be modified. The first && must be replaced with ; (or splited
>>>>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
>>>>> days, as acme-client renews the certificate only 30 days before it
>>>>> expires (checked with the -v option and as nothing happened before, &&
>>>>> stops at this point). BTW my ocsp file with the above command is valid
>>>>> for 7 days.
>>>>>
>>>>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
>>>>> Using http to host r3.o.lencr.org, port 80, path /
>>>>> OCSP response validated from r3.o.lencr.org
>>>>> This Update: Thu Jul 28 15:00:00 2022
>>>>> Next Update: Thu Aug 4 14:59:58 2022
>>>>>
>>>>> The only thing I did was using the /etc/examples/acme-client.conf file,
>>>>> added my email and added the domain blocks.
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> Christoph
>>>>>
>>>>>
>>>>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
>>>>>> Upgrade to v0.9.8
>>>>>> - Add MESSAGE
>>>>>> - Update README
>>>>>>
>>>>>> changelog
>>>>>>
>>>>>> === 0.9.8 Tentative Tentacle
>>>>>>
>>>>>> + Switch database to WAL mode.
>>>>>>
>>>>>> - go version 1.16 required.
>>>>>>
>>>>>> + Specify banner: image in profile.
>>>>>>
>>>>>> + Update activity compatibility with mastodon.
>>>>>>
>>>>>> - Signed fetch.
>>>>>>
>>>>>> + Better unicode hashtags.
>>>>>>
>>>>>> + Some more configuration options.
>>>>>>
>>>>>> + Some UI improvements to web interface.
>>>>>>
>>>>>> + Add atme class to mentions
>>>>>>
>>>>>> + Improvements to the mastodon importer.
>>>>>>
>>>>>> + More hydration capable pages.
>>>>>>
>>>>>> + Support for local.js.
>>>>>>
>>>>>> + Better error messages for timeouts.
>>>>>>
>>>>>> + Some improved html and markdown.
No comments:
Post a Comment