binaries in cvs are not a great idea
On 2022/06/26 12:26, Horia Racoviceanu wrote:
> Changed the acme-client cron job to run daily, and chained ocspcheck
> and relayd reload.
>
> ~ ~ * * * acme-client honk.example.com && ocspcheck -No
> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>
> Added "favicon.ico" and "icon.png" in the port $FILESDIR to be
> installed into $EXAMPLESDIR and @sample into /var/honk
>
> I haven't used DISTFILES because the icons are located on a private
> honk instance, not in the distribution repo. I sent a request upstream
> to include "favicon.ico" and "icon.png" in the honk repo so they'll
> install by default.
>
> Thank you both! Sorry for the long delay, I've been testing the new cron job.
>
> On 6/20/22, Stuart Henderson <s...@spacehopper.org> wrote:
> > On 2022/06/19 13:28, Horia Racoviceanu wrote:
> >> From my tests, The OCSP response is valid for a few hours e.g.
> >>
> >> Using http to host ocsp.buypass.com, port 80, path /
> >> OCSP response validated from ocsp.buypass.com
> >> This Update: Sun Jun 19 09:55:11 2022
> >> Next Update: Sun Jun 19 17:55:11 2022
> >>
> >> This is why I don't use "&&" to restart relayd when there's a new OCSP
> >> response without a certificate renewal or vice versa.
> >>
> >> relayd could restart only when there's a new OCSP response but I
> >> haven't tested it e.g.
> >>
> >> ~ * * * * acme-client honk.example.com; ocspcheck -No \
> >> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl restart relayd
> >>
> >> Or I could separate acme-client and ocspcheck cron jobs and use "&&"
> >> on both but I'm afraid there may be a few minutes of stale OCSP
> >> response e.g.
> >>
> >> ~ * * * * acme-client honk.example.com && rcctl restart relayd
> >> ~ * * * * ocspcheck -No ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt}
> >> && rcctl restart relayd
> >>
> >> What do you think?
> >
> > acme-client doesn't need to run every hour. Once a day is plenty.
> > You do really want to update OCSP if a cert has been renewed.
> >
> > Isn't "reload" enough? A full restart of relayd is rather disruptive
> > especially if it's running multiple services.
> >
> > Looking at the existing pkg-readme:
> >
> > : Icon and favicon
> > : ----------------
> > :
> > : honk# mkdir ${VARBASE}/www/htdocs/honk
> > : honk# ftp -o ${VARBASE}/www/htdocs/honk/icon.png \
> > : https://honk.tedunangst.com/icon.png
> > : honk# ftp -o ${VARBASE}/www/htdocs/honk/favicon.ico \
> > : https://honk.tedunangst.com/favicon.ico
> >
> > Why not include these in the package? Easiest way is probably to install
> > in /usr/local/share/examples/honk and @sample into /var/www.
> >
> >
