Wednesday, September 28, 2022

Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8

On Wed, 21 Sep 2022 at 10:49:27 -0400, Horia Racoviceanu wrote:
> ping
>
> On 9/16/22, Horia Racoviceanu <horia@racoviceanu.com> wrote:
> > - Changed the certificate renewal cron job based on the OCSP staple
> > interval for letsencrypt (for buypass it should be changed to run
> > every 7th hour) and based on the update steps listed by Stuart
> > - Replaced VARBASE with LOCALSTATEDIR
> >
> > I'd like to keep the acme-client and ocspcheck configuration in the
> > port README because I know some less OpenBSD savvy people who
> > installed the Honk package.
> >
> > On 7/31/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
> >> BTW what you think about a section in the FAQ about httpd, relayd,
> >> acme-client for all web applications.
> >>
> >> Am 31.07.22 um 13:12 schrieb Stuart Henderson:
> >>> 1. The staple needs to be updated periodically
> >>>
> >>> 2. If the certificate is updated the staple needs to be updated too
> >>>
> >>> 3. If either the certificate or the staple are changed, relayd needs a
> >>> reload
> >>>
> >>> To be honest I'm not sure if it really belongs in the doc for some
> >>> random port in www, this applies to anyone using relayd to front-end a
> >>> web application.
> >>>
> >>> --
> >>> Sent from a phone, apologies for poor formatting.
> >>>
> >>>
> >>> On 31 July 2022 02:16:13 Christoph Roland Winter <me@the.floof.rocks>
> >>> wrote:
> >>>
> >>>> Beside of this question, the idea of OCSP is
> >>>>
> >>>> By turning on OCSP Stapling, you can improve the performance of your
> >>>> website, provide better privacy protections for your users, and help
> >>>> Let's Encrypt efficiently serve as many people as possible.
> >>>>
> >>>> https://letsencrypt.org/docs/integration-guide/
> >>>>
> >>>> Is it better to update the OCSP file before it expires or update it
> >>>> only
> >>>> seldom (in this case the question is, whether it is not better to don't
> >>>> use OCSP).
> >>>>
> >>>> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
> >>>>> I've switched the cron job to chaining acme-client && ocspcheck on
> >>>>> June 20.
> >>>>> Both the certificate and the OCSP response were last updated on June
> >>>>> 20.
> >>>>>
> >>>>> # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
> >>>>> ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
> >>>>> 05:46:59 2022
> >>>>>
> >>>>> relayd and Firefox do not complain.
> >>>>>
> >>>>> ssllabs.com reports:
> >>>>>
> >>>>> OCSP Must Staple No
> >>>>> OCSP stapling Yes
> >>>>> OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
> >>>>> 2022
> >>>>>
> >>>>> Can the OCSP STAPLING ERROR be ignored?
> >>>>>
> >>>>> On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
> >>>>>> Welcome.
> >>>>>>
> >>>>>> The question is then, why the OCSP staple file expires after hours or
> >>>>>> 7
> >>>>>> days and the certificate will be renewed after 60 days following man
> >>>>>> 1
> >>>>>> acme-client
> >>>>>>
> >>>>>> -F Force certificate renewal, even if it has more than 30 days
> >>>>>> validity.
> >>>>>>
> >>>>>> It can't be the idea to have so long a expired OCSP file (saw Firefox
> >>>>>> in
> >>>>>> the past complain when a outdated OCSP file exists). So, if you
> >>>>>> replace
> >>>>>> the first && with a ; nothing will change as the last && to reload
> >>>>>> relayd will only happen if the cert or the OCSP file (or both) was
> >>>>>> renewed and if booth are up to date nothing will happen.
> >>>>>>
> >>>>>> Just my 2 cents.
> >>>>>>
> >>>>>> Regards,
> >>>>>>
> >>>>>>
> >>>>>> Christoph
> >>>>>>
> >>>>>> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
> >>>>>>> Thanks for testing!
> >>>>>>>
> >>>>>>> As Stuart Henderson mentioned,
> >>>>>>>> You do really want to update OCSP if a cert has been renewed.
> >>>>>>>
> >>>>>>> On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> I have only kept the first message and was some time not subscribed
> >>>>>>>> to
> >>>>>>>> the list - lets see, where the message ends.
> >>>>>>>>
> >>>>>>>> I tried the latest patch from
> >>>>>>>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
> >>>>>>>> worked
> >>>>>>>> fine using
> >>>>>>>>
> >>>>>>>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
> >>>>>>>> and the
> >>>>>>>> -current ports tree using amd64.
> >>>>>>>>
> >>>>>>>> Maybe I am wrong but the crontab from the above patch
> >>>>>>>>
> >>>>>>>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
> >>>>>>>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload
> >>>>>>>> relayd
> >>>>>>>>
> >>>>>>>> needs to be modified. The first && must be replaced with ; (or
> >>>>>>>> splited
> >>>>>>>> in 2 cron jobs). As it is now, the ocsp file gets only renewed all
> >>>>>>>> 60
> >>>>>>>> days, as acme-client renews the certificate only 30 days before it
> >>>>>>>> expires (checked with the -v option and as nothing happened before,
> >>>>>>>> &&
> >>>>>>>> stops at this point). BTW my ocsp file with the above command is
> >>>>>>>> valid
> >>>>>>>> for 7 days.
> >>>>>>>>
> >>>>>>>> ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
> >>>>>>>> Using http to host r3.o.lencr.org, port 80, path /
> >>>>>>>> OCSP response validated from r3.o.lencr.org
> >>>>>>>> This Update: Thu Jul 28 15:00:00 2022
> >>>>>>>> Next Update: Thu Aug 4 14:59:58 2022
> >>>>>>>>
> >>>>>>>> The only thing I did was using the /etc/examples/acme-client.conf
> >>>>>>>> file,
> >>>>>>>> added my email and added the domain blocks.
> >>>>>>>>
> >>>>>>>> Regards,
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Christoph
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
> >>>>>>>>> Upgrade to v0.9.8
> >>>>>>>>> - Add MESSAGE
> >>>>>>>>> - Update README
> >>>>>>>>>
> >>>>>>>>> changelog
> >>>>>>>>>
> >>>>>>>>> === 0.9.8 Tentative Tentacle
> >>>>>>>>>
> >>>>>>>>> + Switch database to WAL mode.
> >>>>>>>>>
> >>>>>>>>> - go version 1.16 required.
> >>>>>>>>>
> >>>>>>>>> + Specify banner: image in profile.
> >>>>>>>>>
> >>>>>>>>> + Update activity compatibility with mastodon.
> >>>>>>>>>
> >>>>>>>>> - Signed fetch.
> >>>>>>>>>
> >>>>>>>>> + Better unicode hashtags.
> >>>>>>>>>
> >>>>>>>>> + Some more configuration options.
> >>>>>>>>>
> >>>>>>>>> + Some UI improvements to web interface.
> >>>>>>>>>
> >>>>>>>>> + Add atme class to mentions
> >>>>>>>>>
> >>>>>>>>> + Improvements to the mastodon importer.
> >>>>>>>>>
> >>>>>>>>> + More hydration capable pages.
> >>>>>>>>>
> >>>>>>>>> + Support for local.js.
> >>>>>>>>>
> >>>>>>>>> + Better error messages for timeouts.
> >>>>>>>>>
> >>>>>>>>> + Some improved html and markdown.
> >>>>>>>>
> >>>>>>
> >>>
> >>
> >
>

Asking as a new user, that cronjob to "cleanup" won't fail without the .db in
that PATH?

--

%gonzalo

No comments:

Post a Comment