ping
On 9/16/22, Horia Racoviceanu <horia@racoviceanu.com> wrote:
> - Changed the certificate renewal cron job based on the OCSP staple
> interval for letsencrypt (for buypass it should be changed to run
> every 7th hour) and based on the update steps listed by Stuart
> - Replaced VARBASE with LOCALSTATEDIR
>
> I'd like to keep the acme-client and ocspcheck configuration in the
> port README because I know some less OpenBSD savvy people who
> installed the Honk package.
>
> On 7/31/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>> BTW what you think about a section in the FAQ about httpd, relayd,
>> acme-client for all web applications.
>>
>> Am 31.07.22 um 13:12 schrieb Stuart Henderson:
>>> 1. The staple needs to be updated periodically
>>>
>>> 2. If the certificate is updated the staple needs to be updated too
>>>
>>> 3. If either the certificate or the staple are changed, relayd needs a
>>> reload
>>>
>>> To be honest I'm not sure if it really belongs in the doc for some
>>> random port in www, this applies to anyone using relayd to front-end a
>>> web application.
>>>
>>> --
>>> Sent from a phone, apologies for poor formatting.
>>>
>>>
>>> On 31 July 2022 02:16:13 Christoph Roland Winter <me@the.floof.rocks>
>>> wrote:
>>>
>>>> Beside of this question, the idea of OCSP is
>>>>
>>>> By turning on OCSP Stapling, you can improve the performance of your
>>>> website, provide better privacy protections for your users, and help
>>>> Let's Encrypt efficiently serve as many people as possible.
>>>>
>>>> https://letsencrypt.org/docs/integration-guide/
>>>>
>>>> Is it better to update the OCSP file before it expires or update it
>>>> only
>>>> seldom (in this case the question is, whether it is not better to don't
>>>> use OCSP).
>>>>
>>>> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
>>>>> I've switched the cron job to chaining acme-client && ocspcheck on
>>>>> June 20.
>>>>> Both the certificate and the OCSP response were last updated on June
>>>>> 20.
>>>>>
>>>>> # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
>>>>> ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
>>>>> 05:46:59 2022
>>>>>
>>>>> relayd and Firefox do not complain.
>>>>>
>>>>> ssllabs.com reports:
>>>>>
>>>>> OCSP Must Staple No
>>>>> OCSP stapling Yes
>>>>> OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
>>>>> 2022
>>>>>
>>>>> Can the OCSP STAPLING ERROR be ignored?
>>>>>
>>>>> On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>>>>> Welcome.
>>>>>>
>>>>>> The question is then, why the OCSP staple file expires after hours or
>>>>>> 7
>>>>>> days and the certificate will be renewed after 60 days following man
>>>>>> 1
>>>>>> acme-client
>>>>>>
>>>>>> -F Force certificate renewal, even if it has more than 30 days
>>>>>> validity.
>>>>>>
>>>>>> It can't be the idea to have so long a expired OCSP file (saw Firefox
>>>>>> in
>>>>>> the past complain when a outdated OCSP file exists). So, if you
>>>>>> replace
>>>>>> the first && with a ; nothing will change as the last && to reload
>>>>>> relayd will only happen if the cert or the OCSP file (or both) was
>>>>>> renewed and if booth are up to date nothing will happen.
>>>>>>
>>>>>> Just my 2 cents.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>>
>>>>>> Christoph
>>>>>>
>>>>>> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
>>>>>>> Thanks for testing!
>>>>>>>
>>>>>>> As Stuart Henderson mentioned,
>>>>>>>> You do really want to update OCSP if a cert has been renewed.
>>>>>>>
>>>>>>> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I have only kept the first message and was some time not subscribed
>>>>>>>> to
>>>>>>>> the list - lets see, where the message ends.
>>>>>>>>
>>>>>>>> I tried the latest patch from
>>>>>>>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
>>>>>>>> worked
>>>>>>>> fine using
>>>>>>>>
>>>>>>>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
>>>>>>>> and the
>>>>>>>> -current ports tree using amd64.
>>>>>>>>
>>>>>>>> Maybe I am wrong but the crontab from the above patch
>>>>>>>>
>>>>>>>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
>>>>>>>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload
>>>>>>>> relayd
>>>>>>>>
>>>>>>>> needs to be modified. The first && must be replaced with ; (or
>>>>>>>> splited
>>>>>>>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all
>>>>>>>> 60
>>>>>>>> days, as acme-client renews the certificate only 30 days before it
>>>>>>>> expires (checked with the -v option and as nothing happened before,
>>>>>>>> &&
>>>>>>>> stops at this point). BTW my ocsp file with the above command is
>>>>>>>> valid
>>>>>>>> for 7 days.
>>>>>>>>
>>>>>>>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
>>>>>>>> Using http to host r3.o.lencr.org, port 80, path /
>>>>>>>> OCSP response validated from r3.o.lencr.org
>>>>>>>> This Update: Thu Jul 28 15:00:00 2022
>>>>>>>> Next Update: Thu Aug 4 14:59:58 2022
>>>>>>>>
>>>>>>>> The only thing I did was using the /etc/examples/acme-client.conf
>>>>>>>> file,
>>>>>>>> added my email and added the domain blocks.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>>
>>>>>>>> Christoph
>>>>>>>>
>>>>>>>>
>>>>>>>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
>>>>>>>>> Upgrade to v0.9.8
>>>>>>>>> - Add MESSAGE
>>>>>>>>> - Update README
>>>>>>>>>
>>>>>>>>> changelog
>>>>>>>>>
>>>>>>>>> === 0.9.8 Tentative Tentacle
>>>>>>>>>
>>>>>>>>> + Switch database to WAL mode.
>>>>>>>>>
>>>>>>>>> - go version 1.16 required.
>>>>>>>>>
>>>>>>>>> + Specify banner: image in profile.
>>>>>>>>>
>>>>>>>>> + Update activity compatibility with mastodon.
>>>>>>>>>
>>>>>>>>> - Signed fetch.
>>>>>>>>>
>>>>>>>>> + Better unicode hashtags.
>>>>>>>>>
>>>>>>>>> + Some more configuration options.
>>>>>>>>>
>>>>>>>>> + Some UI improvements to web interface.
>>>>>>>>>
>>>>>>>>> + Add atme class to mentions
>>>>>>>>>
>>>>>>>>> + Improvements to the mastodon importer.
>>>>>>>>>
>>>>>>>>> + More hydration capable pages.
>>>>>>>>>
>>>>>>>>> + Support for local.js.
>>>>>>>>>
>>>>>>>>> + Better error messages for timeouts.
>>>>>>>>>
>>>>>>>>> + Some improved html and markdown.
>>>>>>>>
>>>>>>
>>>
>>
>
No comments:
Post a Comment