Beside of this question, the idea of OCSP is
By turning on OCSP Stapling, you can improve the performance of your
website, provide better privacy protections for your users, and help
Let’s Encrypt efficiently serve as many people as possible.
https://letsencrypt.org/docs/integration-guide/
Is it better to update the OCSP file before it expires or update it only
seldom (in this case the question is, whether it is not better to don't
use OCSP).
Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
I've switched the cron job to chaining acme-client && ocspcheck on June 20.
Both the certificate and the OCSP response were last updated on June 20.
# ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20 05:46:59 2022
relayd and Firefox do not complain.
ssllabs.com reports:
OCSP Must Staple No
OCSP stapling Yes
OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC 2022
Can the OCSP STAPLING ERROR be ignored?
On 7/30/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
Thanks for testing!
As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.
