I've switched the cron job to chaining acme-client && ocspcheck on June 20.
Both the certificate and the OCSP response were last updated on June 20.
# ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20 05:46:59 2022
relayd and Firefox do not complain.
ssllabs.com reports:
OCSP Must Staple No
OCSP stapling Yes
OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC 2022
Can the OCSP STAPLING ERROR be ignored?
On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
> Welcome.
>
> The question is then, why the OCSP staple file expires after hours or 7
> days and the certificate will be renewed after 60 days following man 1
> acme-client
>
> -F Force certificate renewal, even if it has more than 30 days
> validity.
>
> It can't be the idea to have so long a expired OCSP file (saw Firefox in
> the past complain when a outdated OCSP file exists). So, if you replace
> the first && with a ; nothing will change as the last && to reload
> relayd will only happen if the cert or the OCSP file (or both) was
> renewed and if booth are up to date nothing will happen.
>
> Just my 2 cents.
>
> Regards,
>
>
> Christoph
>
> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
>> Thanks for testing!
>>
>> As Stuart Henderson mentioned,
>>> You do really want to update OCSP if a cert has been renewed.
>>
>> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>> Hello,
>>>
>>> I have only kept the first message and was some time not subscribed to
>>> the list - lets see, where the message ends.
>>>
>>> I tried the latest patch from
>>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
>>> fine using
>>>
>>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
>>> -current ports tree using amd64.
>>>
>>> Maybe I am wrong but the crontab from the above patch
>>>
>>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
>>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>>>
>>> needs to be modified. The first && must be replaced with ; (or splited
>>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
>>> days, as acme-client renews the certificate only 30 days before it
>>> expires (checked with the -v option and as nothing happened before, &&
>>> stops at this point). BTW my ocsp file with the above command is valid
>>> for 7 days.
>>>
>>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
>>> Using http to host r3.o.lencr.org, port 80, path /
>>> OCSP response validated from r3.o.lencr.org
>>> This Update: Thu Jul 28 15:00:00 2022
>>> Next Update: Thu Aug 4 14:59:58 2022
>>>
>>> The only thing I did was using the /etc/examples/acme-client.conf file,
>>> added my email and added the domain blocks.
>>>
>>> Regards,
>>>
>>>
>>> Christoph
>>>
>>>
>>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
>>>> Upgrade to v0.9.8
>>>> - Add MESSAGE
>>>> - Update README
>>>>
>>>> changelog
>>>>
>>>> === 0.9.8 Tentative Tentacle
>>>>
>>>> + Switch database to WAL mode.
>>>>
>>>> - go version 1.16 required.
>>>>
>>>> + Specify banner: image in profile.
>>>>
>>>> + Update activity compatibility with mastodon.
>>>>
>>>> - Signed fetch.
>>>>
>>>> + Better unicode hashtags.
>>>>
>>>> + Some more configuration options.
>>>>
>>>> + Some UI improvements to web interface.
>>>>
>>>> + Add atme class to mentions
>>>>
>>>> + Improvements to the mastodon importer.
>>>>
>>>> + More hydration capable pages.
>>>>
>>>> + Support for local.js.
>>>>
>>>> + Better error messages for timeouts.
>>>>
>>>> + Some improved html and markdown.
>>>
>
No comments:
Post a Comment