Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
The "cleanup" cron job for the user _honk will run in HOME which is /var/honk
If another user runs that cron job, set HOME=/var/honk or `cd /var/honk && honk
cleanup` or `honk -datadir /var/honk cleanup` and .db permission
On September 28, 2022 4:57:51 PM UTC, "Gonzalo L. Rodriguez"
wrote:
>On Wed, 21 Sep 2022 at 10:49:27 -0400, Horia Racoviceanu wrote:
>> ping
>>
>> On 9/16/22, Horia Racoviceanu wrote:
>> > - Changed the certificate renewal cron job based on the OCSP staple
>> > interval for letsencrypt (for buypass it should be changed to run
>> > every 7th hour) and based on the update steps listed by Stuart
>> > - Replaced VARBASE with LOCALSTATEDIR
>> >
>> > I'd like to keep the acme-client and ocspcheck configuration in the
>> > port README because I know some less OpenBSD savvy people who
>> > installed the Honk package.
>> >
>> > On 7/31/22, Christoph Roland Winter wrote:
>> >> BTW what you think about a section in the FAQ about httpd, relayd,
>> >> acme-client for all web applications.
>> >>
>> >> Am 31.07.22 um 13:12 schrieb Stuart Henderson:
>> >>> 1. The staple needs to be updated periodically
>> >>>
>> >>> 2. If the certificate is updated the staple needs to be updated too
>> >>>
>> >>> 3. If either the certificate or the staple are changed, relayd needs a
>> >>> reload
>> >>>
>> >>> To be honest I'm not sure if it really belongs in the doc for some
>> >>> random port in www, this applies to anyone using relayd to front-end a
>> >>> web application.
>> >>>
>> >>> --
>> >>>Sent from a phone, apologies for poor formatting.
>> >>>
>> >>>
>> >>> On 31 July 2022 02:16:13 Christoph Roland Winter
>> >>> wrote:
>> >>>
>> Beside of this question, the idea of OCSP is
>>
>> By turning on OCSP Stapling, you can improve the performance of your
>> website, provide better privacy protections for your users, and help
>> Let’s Encrypt efficiently serve as many people as possible.
>>
>> https://letsencrypt.org/docs/integration-guide/
>>
>> Is it better to update the OCSP file before it expires or update it
>> only
>> seldom (in this case the question is, whether it is not better to don't
>> use OCSP).
>>
>> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
>> > I've switched the cron job to chaining acme-client && ocspcheck on
>> > June 20.
>> > Both the certificate and the OCSP response were last updated on June
>> > 20.
>> >
>> > # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
>> > ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
>> > 05:46:59 2022
>> >
>> > relayd and Firefox do not complain.
>> >
>> > ssllabs.com reports:
>> >
>> > OCSP Must Staple No
>> > OCSP stapling Yes
>> > OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
>> > 2022
>> >
>> > Can the OCSP STAPLING ERROR be ignored?
>> >
>> > On 7/30/22, Christoph Roland Winter wrote:
>> >> Welcome.
>> >>
>> >> The question is then, why the OCSP staple file expires after hours or
>> >> 7
>> >> days and the certificate will be renewed after 60 days following man
>> >> 1
>> >> acme-client
>> >>
>> >> -F Force certificate renewal, even if it has more than 30 days
>> >> validity.
>> >>
>> >> It can't be the idea to have so long a expired OCSP file (saw Firefox
>> >> in
>> >> the past complain when a outdated OCSP file exists). So, if you
>> >> replace
>> >> the first && with a ; nothing will change as the last && to reload
>> >> relayd will only happen if the cert or the OCSP file (or both) was
>> >> renewed and if booth are up to date nothing will happen.
>> >>
>> >> Just my 2 cents.
>> >>
>> >> Regards,
>> >>
>> >>
>> >> Christoph
>> >>
>> >> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
>> >>> Thanks for testing!
>> >>>
>> >>> As Stuart Henderson mentioned,
>> You do really want to update OCSP if a cert has been renewed.
>> >>>
>> >>> On 7/29/22, Christoph Roland Winter wrote:
>> Hello,
>>
>> I have only kept the first message and was some time not subscribed
>> to
>> the list - lets see, where the message ends.
>>
>> I tried the latest patch from
>> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
>> worked
>> fine using
>>
>> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
>> and the
>> -current ports tree using amd64.
>>
>> Maybe I am wrong but the crontab from the above patch
>>
>> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
>> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload
>> relayd
>>
>> needs to be modified. The first && must be replaced
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
On Wed, 21 Sep 2022 at 10:49:27 -0400, Horia Racoviceanu wrote:
> ping
>
> On 9/16/22, Horia Racoviceanu wrote:
> > - Changed the certificate renewal cron job based on the OCSP staple
> > interval for letsencrypt (for buypass it should be changed to run
> > every 7th hour) and based on the update steps listed by Stuart
> > - Replaced VARBASE with LOCALSTATEDIR
> >
> > I'd like to keep the acme-client and ocspcheck configuration in the
> > port README because I know some less OpenBSD savvy people who
> > installed the Honk package.
> >
> > On 7/31/22, Christoph Roland Winter wrote:
> >> BTW what you think about a section in the FAQ about httpd, relayd,
> >> acme-client for all web applications.
> >>
> >> Am 31.07.22 um 13:12 schrieb Stuart Henderson:
> >>> 1. The staple needs to be updated periodically
> >>>
> >>> 2. If the certificate is updated the staple needs to be updated too
> >>>
> >>> 3. If either the certificate or the staple are changed, relayd needs a
> >>> reload
> >>>
> >>> To be honest I'm not sure if it really belongs in the doc for some
> >>> random port in www, this applies to anyone using relayd to front-end a
> >>> web application.
> >>>
> >>> --
> >>>Sent from a phone, apologies for poor formatting.
> >>>
> >>>
> >>> On 31 July 2022 02:16:13 Christoph Roland Winter
> >>> wrote:
> >>>
> Beside of this question, the idea of OCSP is
>
> By turning on OCSP Stapling, you can improve the performance of your
> website, provide better privacy protections for your users, and help
> Let’s Encrypt efficiently serve as many people as possible.
>
> https://letsencrypt.org/docs/integration-guide/
>
> Is it better to update the OCSP file before it expires or update it
> only
> seldom (in this case the question is, whether it is not better to don't
> use OCSP).
>
> Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
> > I've switched the cron job to chaining acme-client && ocspcheck on
> > June 20.
> > Both the certificate and the OCSP response were last updated on June
> > 20.
> >
> > # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
> > ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
> > 05:46:59 2022
> >
> > relayd and Firefox do not complain.
> >
> > ssllabs.com reports:
> >
> > OCSP Must Staple No
> > OCSP stapling Yes
> > OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
> > 2022
> >
> > Can the OCSP STAPLING ERROR be ignored?
> >
> > On 7/30/22, Christoph Roland Winter wrote:
> >> Welcome.
> >>
> >> The question is then, why the OCSP staple file expires after hours or
> >> 7
> >> days and the certificate will be renewed after 60 days following man
> >> 1
> >> acme-client
> >>
> >> -F Force certificate renewal, even if it has more than 30 days
> >> validity.
> >>
> >> It can't be the idea to have so long a expired OCSP file (saw Firefox
> >> in
> >> the past complain when a outdated OCSP file exists). So, if you
> >> replace
> >> the first && with a ; nothing will change as the last && to reload
> >> relayd will only happen if the cert or the OCSP file (or both) was
> >> renewed and if booth are up to date nothing will happen.
> >>
> >> Just my 2 cents.
> >>
> >> Regards,
> >>
> >>
> >> Christoph
> >>
> >> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
> >>> Thanks for testing!
> >>>
> >>> As Stuart Henderson mentioned,
> You do really want to update OCSP if a cert has been renewed.
> >>>
> >>> On 7/29/22, Christoph Roland Winter wrote:
> Hello,
>
> I have only kept the first message and was some time not subscribed
> to
> the list - lets see, where the message ends.
>
> I tried the latest patch from
> https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
> worked
> fine using
>
> OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
> and the
> -current ports tree using amd64.
>
> Maybe I am wrong but the crontab from the above patch
>
> +~ ~ * * * acme-client honk.example.com && ocspcheck -No
> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload
> relayd
>
> needs to be modified. The first && must be replaced with ; (or
> splited
> in 2 cron jobs). As it is now, the ocsp file gets only renewed all
> 60
> days, as acme-client renews the certificate only 30 days before it
> expires (checked with the -v option and as nothing happened before,
> &&
> stops at this point). BTW my ocsp file with the above command is
> valid
> for 7 days.
>
>
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
Hy,
> Am 23.09.2022 um 20:24 schrieb Horia Racoviceanu :
>
> Thank you for the MESSAGE and README change.
But continue your good work.
We should try to get your informations upstream to tedu.
> I confirm that the backup/upgrade must be done *after* updating the package.
> v0.9.8 is required to upgrade the old database.
Yes, I can also confirm that. Everything worked as I did the upgrade from 0.9.7
to 0.9.8 some weeks ago.
BTW is there a option to stop a already running Honk in case of a DB upgrade.
Maybe I think to complicated but what is, if there is a running Honk and
someone tries to launch the new one (just to prevent that the DB get broken -
we know, that many people do no backups … don’t look at me ;-) ).
>
> On 9/23/22, Stuart Henderson wrote:
>> On 2022/09/23 12:27, Horia Racoviceanu wrote:
>>> Index: pkg/MESSAGE
>>> ===
>>> RCS file: pkg/MESSAGE
>>> diff -N pkg/MESSAGE
>>> --- /dev/null 1 Jan 1970 00:00:00 -
>>> +++ pkg/MESSAGE 23 Sep 2022 16:17:47 -
>>> @@ -0,0 +1,15 @@
>>> +The database has changed since version 0.9.7
>>> +
>>> +Stop the old honk process.
>>> +honk# rcctl stop honk
>>> +
>>> +Backup the database.
>>> +honk# doas -su _honk
>>> +honk$ umask 077; cd ${LOCALSTATEDIR}/honk && honk backup `date
>>> +backup-%F`
>>> +
>>> +Perform the upgrade with the upgrade command.
>>> +honk$ honk upgrade
>>> +honk$ exit
>>> +
>>> +Restart.
>>> +honk# rcctl start honk
>>
>> This is too long for MESSAGE, we don't want pages of information
>> scrolling after pkg_add. I suggest a single line and add the main
>> bit to pkg-readme as below.
>>
>> I don't use this software. Can you confirm that the backup/upgrade
>> steps are OK to do *after* updating the package, or do users need to
>> do something *before* updating?
>>
>> If it's before, then the information will need to go in upgrade
>> docs (via faq/current.html) instead because they won't see this message
>> until after they've updated packages.
>>
>>
>> Index: Makefile
>> ===
>> RCS file: /cvs/ports/www/honk/Makefile,v
>> retrieving revision 1.19
>> diff -u -p -r1.19 Makefile
>> --- Makefile 11 Mar 2022 20:09:55 - 1.19
>> +++ Makefile 23 Sep 2022 16:35:04 -
>> @@ -1,6 +1,6 @@
>> COMMENT =federated status conveyance
>>
>> -DISTNAME = honk-0.9.7
>> +DISTNAME = honk-0.9.8
>> CATEGORIES = www
>>
>> HOMEPAGE = https://humungus.tedunangst.com/r/honk
>> @@ -13,6 +13,8 @@ PERMIT_PACKAGE = Yes
>> WANTLIB += c pthread sqlite3
>>
>> MASTER_SITES = ${HOMEPAGE}/d/
>> +DISTFILES = ${EXTRACT_ONLY} honk-{../v/tip/d/views/}icon.png
>> +EXTRACT_ONLY = ${DISTNAME}${EXTRACT_SUFX}
>> EXTRACT_SUFX = .tgz
>>
>> MODULES =lang/go
>> @@ -21,8 +23,7 @@ LIB_DEPENDS = databases/sqlite3
>> NO_TEST =Yes
>> ALL_TARGET = humungus.tedunangst.com/r/honk
>>
>> -SUBST_VARS += VARBASE \
>> -SYSCONFDIR
>> +SUBST_VARS += SYSCONFDIR
>>
>> DOCDIR ?=${PREFIX}/share/doc/honk
>> EXAMPLESDIR =${PREFIX}/share/examples/honk
>> @@ -53,5 +54,7 @@ post-install:
>> ${EXAMPLESDIR}/views/
>> ${INSTALL_DATA} ${MODGO_WORKSPACE}/src/${ALL_TARGET}/schema.sql \
>> ${EXAMPLESDIR}/
>> +${INSTALL_DATA} ${DISTDIR}/honk-icon.png
>> ${EXAMPLESDIR}/views/favicon.ico
>> +${INSTALL_DATA} ${DISTDIR}/honk-icon.png ${EXAMPLESDIR}/views/icon.png
>>
>> .include
>> Index: distinfo
>> ===
>> RCS file: /cvs/ports/www/honk/distinfo,v
>> retrieving revision 1.11
>> diff -u -p -r1.11 distinfo
>> --- distinfo 2 Mar 2022 07:31:01 - 1.11
>> +++ distinfo 23 Sep 2022 16:35:04 -
>> @@ -1,2 +1,4 @@
>> -SHA256 (honk-0.9.7.tgz) = t6EM5E98qvlnq6Y6vd21MvPBrWpkmo4qXdgNEUAeF7M=
>> -SIZE (honk-0.9.7.tgz) = 522993
>> +SHA256 (honk-0.9.8.tgz) = BmZgMvN7fFrft+W0+V2j3tezI5kRLl/7Fx5wIVXwCG4=
>> +SHA256 (honk-icon.png) = 92RJuF2onJ/1OYs4E4TYDm9KbzmNKISl+1+MSdhpzUQ=
>> +SIZE (honk-0.9.8.tgz) = 511957
>> +SIZE (honk-icon.png) = 912
>> Index: pkg/MESSAGE
>> ===
>> RCS file: pkg/MESSAGE
>> diff -N pkg/MESSAGE
>> --- /dev/null1 Jan 1970 00:00:00 -
>> +++ pkg/MESSAGE 23 Sep 2022 16:35:04 -
>> @@ -0,0 +1 @@
>> +The database has changed since version 0.9.7. See the pkg-readme.
>> Index: pkg/PLIST
>> ===
>> RCS file: /cvs/ports/www/honk/pkg/PLIST,v
>> retrieving revision 1.9
>> diff -u -p -r1.9 PLIST
>> --- pkg/PLIST11 Mar 2022 20:09:55 - 1.9
>> +++ pkg/PLIST23 Sep 2022 16:35:04 -
>> @@ -1,5 +1,5 @@
>> @newgroup _honk:833
>> -@newuser _honk:833:_honk:daemon:H
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
Thank you for the MESSAGE and README change.
I confirm that the backup/upgrade must be done *after* updating the package.
v0.9.8 is required to upgrade the old database.
On 9/23/22, Stuart Henderson wrote:
> On 2022/09/23 12:27, Horia Racoviceanu wrote:
>> Index: pkg/MESSAGE
>> ===
>> RCS file: pkg/MESSAGE
>> diff -N pkg/MESSAGE
>> --- /dev/null1 Jan 1970 00:00:00 -
>> +++ pkg/MESSAGE 23 Sep 2022 16:17:47 -
>> @@ -0,0 +1,15 @@
>> +The database has changed since version 0.9.7
>> +
>> +Stop the old honk process.
>> +honk# rcctl stop honk
>> +
>> +Backup the database.
>> +honk# doas -su _honk
>> +honk$ umask 077; cd ${LOCALSTATEDIR}/honk && honk backup `date
>> +backup-%F`
>> +
>> +Perform the upgrade with the upgrade command.
>> +honk$ honk upgrade
>> +honk$ exit
>> +
>> +Restart.
>> +honk# rcctl start honk
>
> This is too long for MESSAGE, we don't want pages of information
> scrolling after pkg_add. I suggest a single line and add the main
> bit to pkg-readme as below.
>
> I don't use this software. Can you confirm that the backup/upgrade
> steps are OK to do *after* updating the package, or do users need to
> do something *before* updating?
>
> If it's before, then the information will need to go in upgrade
> docs (via faq/current.html) instead because they won't see this message
> until after they've updated packages.
>
>
> Index: Makefile
> ===
> RCS file: /cvs/ports/www/honk/Makefile,v
> retrieving revision 1.19
> diff -u -p -r1.19 Makefile
> --- Makefile 11 Mar 2022 20:09:55 - 1.19
> +++ Makefile 23 Sep 2022 16:35:04 -
> @@ -1,6 +1,6 @@
> COMMENT =federated status conveyance
>
> -DISTNAME = honk-0.9.7
> +DISTNAME = honk-0.9.8
> CATEGORIES = www
>
> HOMEPAGE = https://humungus.tedunangst.com/r/honk
> @@ -13,6 +13,8 @@ PERMIT_PACKAGE =Yes
> WANTLIB += c pthread sqlite3
>
> MASTER_SITES = ${HOMEPAGE}/d/
> +DISTFILES = ${EXTRACT_ONLY} honk-{../v/tip/d/views/}icon.png
> +EXTRACT_ONLY = ${DISTNAME}${EXTRACT_SUFX}
> EXTRACT_SUFX = .tgz
>
> MODULES =lang/go
> @@ -21,8 +23,7 @@ LIB_DEPENDS = databases/sqlite3
> NO_TEST =Yes
> ALL_TARGET = humungus.tedunangst.com/r/honk
>
> -SUBST_VARS +=VARBASE \
> - SYSCONFDIR
> +SUBST_VARS +=SYSCONFDIR
>
> DOCDIR ?=${PREFIX}/share/doc/honk
> EXAMPLESDIR =${PREFIX}/share/examples/honk
> @@ -53,5 +54,7 @@ post-install:
> ${EXAMPLESDIR}/views/
> ${INSTALL_DATA} ${MODGO_WORKSPACE}/src/${ALL_TARGET}/schema.sql \
> ${EXAMPLESDIR}/
> + ${INSTALL_DATA} ${DISTDIR}/honk-icon.png
> ${EXAMPLESDIR}/views/favicon.ico
> + ${INSTALL_DATA} ${DISTDIR}/honk-icon.png ${EXAMPLESDIR}/views/icon.png
>
> .include
> Index: distinfo
> ===
> RCS file: /cvs/ports/www/honk/distinfo,v
> retrieving revision 1.11
> diff -u -p -r1.11 distinfo
> --- distinfo 2 Mar 2022 07:31:01 - 1.11
> +++ distinfo 23 Sep 2022 16:35:04 -
> @@ -1,2 +1,4 @@
> -SHA256 (honk-0.9.7.tgz) = t6EM5E98qvlnq6Y6vd21MvPBrWpkmo4qXdgNEUAeF7M=
> -SIZE (honk-0.9.7.tgz) = 522993
> +SHA256 (honk-0.9.8.tgz) = BmZgMvN7fFrft+W0+V2j3tezI5kRLl/7Fx5wIVXwCG4=
> +SHA256 (honk-icon.png) = 92RJuF2onJ/1OYs4E4TYDm9KbzmNKISl+1+MSdhpzUQ=
> +SIZE (honk-0.9.8.tgz) = 511957
> +SIZE (honk-icon.png) = 912
> Index: pkg/MESSAGE
> ===
> RCS file: pkg/MESSAGE
> diff -N pkg/MESSAGE
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ pkg/MESSAGE 23 Sep 2022 16:35:04 -
> @@ -0,0 +1 @@
> +The database has changed since version 0.9.7. See the pkg-readme.
> Index: pkg/PLIST
> ===
> RCS file: /cvs/ports/www/honk/pkg/PLIST,v
> retrieving revision 1.9
> diff -u -p -r1.9 PLIST
> --- pkg/PLIST 11 Mar 2022 20:09:55 - 1.9
> +++ pkg/PLIST 23 Sep 2022 16:35:04 -
> @@ -1,5 +1,5 @@
> @newgroup _honk:833
> -@newuser _honk:833:_honk:daemon:Honk User:${VARBASE}/honk:/sbin/nologin
> +@newuser _honk:833:_honk:daemon:Honk
> User:${LOCALSTATEDIR}/honk:/sbin/nologin
> @rcscript ${RCDIR}/honk
> @bin bin/autobonker
> @bin bin/gettoken
> @@ -19,11 +19,11 @@
> @mode 750
> @owner _honk
> @group _honk
> -@sample ${VARBASE}/honk/
> -@sample ${VARBASE}/honk/docs/
> -@sample ${VARBASE}/honk/emus/
> -@sample ${VARBASE}/honk/memes/
> -@sample ${VARBASE}/honk/views/
> +@sample ${LOCALSTATEDIR}/honk/
> +@sample ${LOCALSTATEDIR}/honk/docs/
> +@sample ${LOCALSTATEDIR}/honk/emus/
> +@sample ${LOCALSTATEDIR}/honk/memes/
> +@sample ${LOCALSTATEDIR}/honk/views/
> @mode
> @owner
> @group
> @@ -31,75 +31,79 @@ share/doc/hon
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
On 2022/09/23 12:27, Horia Racoviceanu wrote:
> Index: pkg/MESSAGE
> ===
> RCS file: pkg/MESSAGE
> diff -N pkg/MESSAGE
> --- /dev/null 1 Jan 1970 00:00:00 -
> +++ pkg/MESSAGE 23 Sep 2022 16:17:47 -
> @@ -0,0 +1,15 @@
> +The database has changed since version 0.9.7
> +
> +Stop the old honk process.
> +honk# rcctl stop honk
> +
> +Backup the database.
> +honk# doas -su _honk
> +honk$ umask 077; cd ${LOCALSTATEDIR}/honk && honk backup `date +backup-%F`
> +
> +Perform the upgrade with the upgrade command.
> +honk$ honk upgrade
> +honk$ exit
> +
> +Restart.
> +honk# rcctl start honk
This is too long for MESSAGE, we don't want pages of information
scrolling after pkg_add. I suggest a single line and add the main
bit to pkg-readme as below.
I don't use this software. Can you confirm that the backup/upgrade
steps are OK to do *after* updating the package, or do users need to
do something *before* updating?
If it's before, then the information will need to go in upgrade
docs (via faq/current.html) instead because they won't see this message
until after they've updated packages.
Index: Makefile
===
RCS file: /cvs/ports/www/honk/Makefile,v
retrieving revision 1.19
diff -u -p -r1.19 Makefile
--- Makefile11 Mar 2022 20:09:55 - 1.19
+++ Makefile23 Sep 2022 16:35:04 -
@@ -1,6 +1,6 @@
COMMENT = federated status conveyance
-DISTNAME = honk-0.9.7
+DISTNAME = honk-0.9.8
CATEGORIES = www
HOMEPAGE = https://humungus.tedunangst.com/r/honk
@@ -13,6 +13,8 @@ PERMIT_PACKAGE = Yes
WANTLIB += c pthread sqlite3
MASTER_SITES = ${HOMEPAGE}/d/
+DISTFILES =${EXTRACT_ONLY} honk-{../v/tip/d/views/}icon.png
+EXTRACT_ONLY = ${DISTNAME}${EXTRACT_SUFX}
EXTRACT_SUFX = .tgz
MODULES = lang/go
@@ -21,8 +23,7 @@ LIB_DEPENDS = databases/sqlite3
NO_TEST = Yes
ALL_TARGET = humungus.tedunangst.com/r/honk
-SUBST_VARS += VARBASE \
- SYSCONFDIR
+SUBST_VARS += SYSCONFDIR
DOCDIR ?= ${PREFIX}/share/doc/honk
EXAMPLESDIR = ${PREFIX}/share/examples/honk
@@ -53,5 +54,7 @@ post-install:
${EXAMPLESDIR}/views/
${INSTALL_DATA} ${MODGO_WORKSPACE}/src/${ALL_TARGET}/schema.sql \
${EXAMPLESDIR}/
+ ${INSTALL_DATA} ${DISTDIR}/honk-icon.png
${EXAMPLESDIR}/views/favicon.ico
+ ${INSTALL_DATA} ${DISTDIR}/honk-icon.png ${EXAMPLESDIR}/views/icon.png
.include
Index: distinfo
===
RCS file: /cvs/ports/www/honk/distinfo,v
retrieving revision 1.11
diff -u -p -r1.11 distinfo
--- distinfo2 Mar 2022 07:31:01 - 1.11
+++ distinfo23 Sep 2022 16:35:04 -
@@ -1,2 +1,4 @@
-SHA256 (honk-0.9.7.tgz) = t6EM5E98qvlnq6Y6vd21MvPBrWpkmo4qXdgNEUAeF7M=
-SIZE (honk-0.9.7.tgz) = 522993
+SHA256 (honk-0.9.8.tgz) = BmZgMvN7fFrft+W0+V2j3tezI5kRLl/7Fx5wIVXwCG4=
+SHA256 (honk-icon.png) = 92RJuF2onJ/1OYs4E4TYDm9KbzmNKISl+1+MSdhpzUQ=
+SIZE (honk-0.9.8.tgz) = 511957
+SIZE (honk-icon.png) = 912
Index: pkg/MESSAGE
===
RCS file: pkg/MESSAGE
diff -N pkg/MESSAGE
--- /dev/null 1 Jan 1970 00:00:00 -
+++ pkg/MESSAGE 23 Sep 2022 16:35:04 -
@@ -0,0 +1 @@
+The database has changed since version 0.9.7. See the pkg-readme.
Index: pkg/PLIST
===
RCS file: /cvs/ports/www/honk/pkg/PLIST,v
retrieving revision 1.9
diff -u -p -r1.9 PLIST
--- pkg/PLIST 11 Mar 2022 20:09:55 - 1.9
+++ pkg/PLIST 23 Sep 2022 16:35:04 -
@@ -1,5 +1,5 @@
@newgroup _honk:833
-@newuser _honk:833:_honk:daemon:Honk User:${VARBASE}/honk:/sbin/nologin
+@newuser _honk:833:_honk:daemon:Honk User:${LOCALSTATEDIR}/honk:/sbin/nologin
@rcscript ${RCDIR}/honk
@bin bin/autobonker
@bin bin/gettoken
@@ -19,11 +19,11 @@
@mode 750
@owner _honk
@group _honk
-@sample ${VARBASE}/honk/
-@sample ${VARBASE}/honk/docs/
-@sample ${VARBASE}/honk/emus/
-@sample ${VARBASE}/honk/memes/
-@sample ${VARBASE}/honk/views/
+@sample ${LOCALSTATEDIR}/honk/
+@sample ${LOCALSTATEDIR}/honk/docs/
+@sample ${LOCALSTATEDIR}/honk/emus/
+@sample ${LOCALSTATEDIR}/honk/memes/
+@sample ${LOCALSTATEDIR}/honk/views/
@mode
@owner
@group
@@ -31,75 +31,79 @@ share/doc/honk/
share/doc/honk/LICENSE
share/doc/honk/README
share/doc/honk/activitypub.7.html
-@sample ${VARBASE}/honk/docs/activitypub.7.html
+@sample ${LOCALSTATEDIR}/honk/docs/activitypub.7.html
share/doc/honk/changelog.txt
share/doc/honk/hfcs.1.html
-@sample ${VARBASE}/honk/docs/hfcs.1.html
+@sample ${LOCALSTATEDIR}/honk/docs/hfcs.1.html
share/doc/honk/honk.1.html
-@sample ${VARBASE}/honk/docs/honk.1.html
+@sample ${LOCALSTATEDIR}/honk/docs/h
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
- Removed non-honk configuration from README
On 9/22/22, Christoph R. Winter wrote:
> I would appricate it if Honk 0.9.8 makes it in the 7.2 ports -release but I
> think it will not as it is now. As we Honked today, I try to explain how I
> would change the diff.
>
> Basically, I find it good that you care of not experienced users but this
> information is not required that the port works or is useable and it makes
> more work to have informations on various places (that means not, that you
> should remove it, I just would implement it in another way).
>
> I would write it in the following way.
>
> Honk requires relayd(8) (because it is already in the base system) as TLS
> endpoint. That means you need a SSL certificate which you can obtain using
> acme-client(1) and a server section in httpd.conf(8) (maybe including a 302
> redirect from HTTP to HTTPS).
>
> - for experienced users you have nothing more to explain and it keeps
> discussions about how to make this and that away from the mailing list. If
> someone uses software x they have to self find out how (thats why the
> information that relayd is in the base system).
>
> If you are new to running your own web services or to Honk, there is a
> detailed writeup at the maintainer blog ...
>
> - your URL, there you can explain all details (from DNS - to cron) and also
> show how to setup the dev version of Honk to help tedu test things. In your
> blog you could spread the word about the OS, Honk and the fedi.
>
> Beside of that, in the examples directory of Honk you find example
> configuration files.
>
> - just ask tedu to add your acme-client.conf, httpd.conf and relayd.conf
> file which you also could use to decument / explain things.
>
> - then you could add the 4 lines of the relayd.conf file which are related
> to Honk, the init and the upgrade section.
>
> Just a idea and just my 2 cents, the committers decide.
> BTW the diff still works as it should, I setup Honk again on a clean install
> using 7.2 GENERIC.MP#734 amd64 from monday this week.
>
> Regards,
>
>
> Christoph
>
> P. S. sorry if the format is not as it should be, I try to use Mutt.
>
>
Index: Makefile
===
RCS file: /cvs/ports/www/honk/Makefile,v
retrieving revision 1.19
diff -u -p -r1.19 Makefile
--- Makefile11 Mar 2022 20:09:55 - 1.19
+++ Makefile23 Sep 2022 16:17:47 -
@@ -1,6 +1,6 @@
COMMENT = federated status conveyance
-DISTNAME = honk-0.9.7
+DISTNAME = honk-0.9.8
CATEGORIES = www
HOMEPAGE = https://humungus.tedunangst.com/r/honk
@@ -13,6 +13,8 @@ PERMIT_PACKAGE = Yes
WANTLIB += c pthread sqlite3
MASTER_SITES = ${HOMEPAGE}/d/
+DISTFILES =${EXTRACT_ONLY} honk-{../v/tip/d/views/}icon.png
+EXTRACT_ONLY = ${DISTNAME}${EXTRACT_SUFX}
EXTRACT_SUFX = .tgz
MODULES = lang/go
@@ -21,8 +23,7 @@ LIB_DEPENDS = databases/sqlite3
NO_TEST = Yes
ALL_TARGET = humungus.tedunangst.com/r/honk
-SUBST_VARS += VARBASE \
- SYSCONFDIR
+SUBST_VARS += SYSCONFDIR
DOCDIR ?= ${PREFIX}/share/doc/honk
EXAMPLESDIR = ${PREFIX}/share/examples/honk
@@ -53,5 +54,7 @@ post-install:
${EXAMPLESDIR}/views/
${INSTALL_DATA} ${MODGO_WORKSPACE}/src/${ALL_TARGET}/schema.sql \
${EXAMPLESDIR}/
+ ${INSTALL_DATA} ${DISTDIR}/honk-icon.png
${EXAMPLESDIR}/views/favicon.ico
+ ${INSTALL_DATA} ${DISTDIR}/honk-icon.png ${EXAMPLESDIR}/views/icon.png
.include
Index: distinfo
===
RCS file: /cvs/ports/www/honk/distinfo,v
retrieving revision 1.11
diff -u -p -r1.11 distinfo
--- distinfo2 Mar 2022 07:31:01 - 1.11
+++ distinfo23 Sep 2022 16:17:47 -
@@ -1,2 +1,4 @@
-SHA256 (honk-0.9.7.tgz) = t6EM5E98qvlnq6Y6vd21MvPBrWpkmo4qXdgNEUAeF7M=
-SIZE (honk-0.9.7.tgz) = 522993
+SHA256 (honk-0.9.8.tgz) = BmZgMvN7fFrft+W0+V2j3tezI5kRLl/7Fx5wIVXwCG4=
+SHA256 (honk-icon.png) = 92RJuF2onJ/1OYs4E4TYDm9KbzmNKISl+1+MSdhpzUQ=
+SIZE (honk-0.9.8.tgz) = 511957
+SIZE (honk-icon.png) = 912
Index: pkg/MESSAGE
===
RCS file: pkg/MESSAGE
diff -N pkg/MESSAGE
--- /dev/null 1 Jan 1970 00:00:00 -
+++ pkg/MESSAGE 23 Sep 2022 16:17:47 -
@@ -0,0 +1,15 @@
+The database has changed since version 0.9.7
+
+Stop the old honk process.
+honk# rcctl stop honk
+
+Backup the database.
+honk# doas -su _honk
+honk$ umask 077; cd ${LOCALSTATEDIR}/honk && honk backup `date +backup-%F`
+
+Perform the upgrade with the upgrade command.
+honk$ honk upgrade
+honk$ exit
+
+Restart.
+honk# rcctl start honk
Index: pkg/PLIST
===
RCS file: /cvs/ports/www/honk/pkg/PLIST,v
retrieving revision 1.9
diff -u -p -r1.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
I would appricate it if Honk 0.9.8 makes it in the 7.2 ports -release but I think it will not as it is now. As we Honked today, I try to explain how I would change the diff. Basically, I find it good that you care of not experienced users but this information is not required that the port works or is useable and it makes more work to have informations on various places (that means not, that you should remove it, I just would implement it in another way). I would write it in the following way. Honk requires relayd(8) (because it is already in the base system) as TLS endpoint. That means you need a SSL certificate which you can obtain using acme-client(1) and a server section in httpd.conf(8) (maybe including a 302 redirect from HTTP to HTTPS). - for experienced users you have nothing more to explain and it keeps discussions about how to make this and that away from the mailing list. If someone uses software x they have to self find out how (thats why the information that relayd is in the base system). If you are new to running your own web services or to Honk, there is a detailed writeup at the maintainer blog ... - your URL, there you can explain all details (from DNS - to cron) and also show how to setup the dev version of Honk to help tedu test things. In your blog you could spread the word about the OS, Honk and the fedi. Beside of that, in the examples directory of Honk you find example configuration files. - just ask tedu to add your acme-client.conf, httpd.conf and relayd.conf file which you also could use to decument / explain things. - then you could add the 4 lines of the relayd.conf file which are related to Honk, the init and the upgrade section. Just a idea and just my 2 cents, the committers decide. BTW the diff still works as it should, I setup Honk again on a clean install using 7.2 GENERIC.MP#734 amd64 from monday this week. Regards, Christoph P. S. sorry if the format is not as it should be, I try to use Mutt.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
ping
On 9/16/22, Horia Racoviceanu wrote:
> - Changed the certificate renewal cron job based on the OCSP staple
> interval for letsencrypt (for buypass it should be changed to run
> every 7th hour) and based on the update steps listed by Stuart
> - Replaced VARBASE with LOCALSTATEDIR
>
> I'd like to keep the acme-client and ocspcheck configuration in the
> port README because I know some less OpenBSD savvy people who
> installed the Honk package.
>
> On 7/31/22, Christoph Roland Winter wrote:
>> BTW what you think about a section in the FAQ about httpd, relayd,
>> acme-client for all web applications.
>>
>> Am 31.07.22 um 13:12 schrieb Stuart Henderson:
>>> 1. The staple needs to be updated periodically
>>>
>>> 2. If the certificate is updated the staple needs to be updated too
>>>
>>> 3. If either the certificate or the staple are changed, relayd needs a
>>> reload
>>>
>>> To be honest I'm not sure if it really belongs in the doc for some
>>> random port in www, this applies to anyone using relayd to front-end a
>>> web application.
>>>
>>> --
>>>Sent from a phone, apologies for poor formatting.
>>>
>>>
>>> On 31 July 2022 02:16:13 Christoph Roland Winter
>>> wrote:
>>>
Beside of this question, the idea of OCSP is
By turning on OCSP Stapling, you can improve the performance of your
website, provide better privacy protections for your users, and help
Let’s Encrypt efficiently serve as many people as possible.
https://letsencrypt.org/docs/integration-guide/
Is it better to update the OCSP file before it expires or update it
only
seldom (in this case the question is, whether it is not better to don't
use OCSP).
Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
> I've switched the cron job to chaining acme-client && ocspcheck on
> June 20.
> Both the certificate and the OCSP response were last updated on June
> 20.
>
> # ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
> ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
> 05:46:59 2022
>
> relayd and Firefox do not complain.
>
> ssllabs.com reports:
>
> OCSP Must Staple No
> OCSP stapling Yes
> OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
> 2022
>
> Can the OCSP STAPLING ERROR be ignored?
>
> On 7/30/22, Christoph Roland Winter wrote:
>> Welcome.
>>
>> The question is then, why the OCSP staple file expires after hours or
>> 7
>> days and the certificate will be renewed after 60 days following man
>> 1
>> acme-client
>>
>> -F Force certificate renewal, even if it has more than 30 days
>> validity.
>>
>> It can't be the idea to have so long a expired OCSP file (saw Firefox
>> in
>> the past complain when a outdated OCSP file exists). So, if you
>> replace
>> the first && with a ; nothing will change as the last && to reload
>> relayd will only happen if the cert or the OCSP file (or both) was
>> renewed and if booth are up to date nothing will happen.
>>
>> Just my 2 cents.
>>
>> Regards,
>>
>>
>> Christoph
>>
>> Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
>>> Thanks for testing!
>>>
>>> As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
>>>
>>> On 7/29/22, Christoph Roland Winter wrote:
Hello,
I have only kept the first message and was some time not subscribed
to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload
relayd
needs to be modified. The first && must be replaced with ; (or
splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all
60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before,
&&
stops at this point). BTW my ocsp file with the above command is
valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using th
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
BTW what you think about a section in the FAQ about httpd, relayd,
acme-client for all web applications.
Am 31.07.22 um 13:12 schrieb Stuart Henderson:
1. The staple needs to be updated periodically
2. If the certificate is updated the staple needs to be updated too
3. If either the certificate or the staple are changed, relayd needs a
reload
To be honest I'm not sure if it really belongs in the doc for some
random port in www, this applies to anyone using relayd to front-end a
web application.
--
Sent from a phone, apologies for poor formatting.
On 31 July 2022 02:16:13 Christoph Roland Winter wrote:
Beside of this question, the idea of OCSP is
By turning on OCSP Stapling, you can improve the performance of your
website, provide better privacy protections for your users, and help
Let’s Encrypt efficiently serve as many people as possible.
https://letsencrypt.org/docs/integration-guide/
Is it better to update the OCSP file before it expires or update it only
seldom (in this case the question is, whether it is not better to don't
use OCSP).
Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
I've switched the cron job to chaining acme-client && ocspcheck on
June 20.
Both the certificate and the OCSP response were last updated on June 20.
# ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20
05:46:59 2022
relayd and Firefox do not complain.
ssllabs.com reports:
OCSP Must Staple No
OCSP stapling Yes
OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC
2022
Can the OCSP STAPLING ERROR be ignored?
On 7/30/22, Christoph Roland Winter wrote:
Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
Thanks for testing!
As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
On 7/29/22, Christoph Roland Winter wrote:
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it
worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022
and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf
file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
1. The staple needs to be updated periodically
2. If the certificate is updated the staple needs to be updated too
3. If either the certificate or the staple are changed, relayd needs a reload
To be honest I'm not sure if it really belongs in the doc for some random
port in www, this applies to anyone using relayd to front-end a web
application.
--
Sent from a phone, apologies for poor formatting.
On 31 July 2022 02:16:13 Christoph Roland Winter wrote:
Beside of this question, the idea of OCSP is
By turning on OCSP Stapling, you can improve the performance of your
website, provide better privacy protections for your users, and help
Let’s Encrypt efficiently serve as many people as possible.
https://letsencrypt.org/docs/integration-guide/
Is it better to update the OCSP file before it expires or update it only
seldom (in this case the question is, whether it is not better to don't
use OCSP).
Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
I've switched the cron job to chaining acme-client && ocspcheck on June 20.
Both the certificate and the OCSP response were last updated on June 20.
# ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20 05:46:59 2022
relayd and Firefox do not complain.
ssllabs.com reports:
OCSP Must Staple No
OCSP stapling Yes
OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC 2022
Can the OCSP STAPLING ERROR be ignored?
On 7/30/22, Christoph Roland Winter wrote:
Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
Thanks for testing!
As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
On 7/29/22, Christoph Roland Winter wrote:
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
Beside of this question, the idea of OCSP is
By turning on OCSP Stapling, you can improve the performance of your
website, provide better privacy protections for your users, and help
Let’s Encrypt efficiently serve as many people as possible.
https://letsencrypt.org/docs/integration-guide/
Is it better to update the OCSP file before it expires or update it only
seldom (in this case the question is, whether it is not better to don't
use OCSP).
Am 31.07.22 um 00:33 schrieb Horia Racoviceanu:
I've switched the cron job to chaining acme-client && ocspcheck on June 20.
Both the certificate and the OCSP response were last updated on June 20.
# ocspcheck -vNi /etc/ssl/honk.example.com.{ocsp,crt}
ocspcheck: Invalid OCSP reply: this update is too old Mon Jun 20 05:46:59 2022
relayd and Firefox do not complain.
ssllabs.com reports:
OCSP Must Staple No
OCSP stapling Yes
OCSP STAPLING ERROR: OCSP response expired on Mon Jun 20 20:46:59 UTC 2022
Can the OCSP STAPLING ERROR be ignored?
On 7/30/22, Christoph Roland Winter wrote:
Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
Thanks for testing!
As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
On 7/29/22, Christoph Roland Winter wrote:
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
Thanks for testing!
As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
On 7/29/22, Christoph Roland Winter wrote:
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
binaries in cvs are not a great idea
On 2022/06/26 12:26, Horia Racoviceanu wrote:
> Changed the acme-client cron job to run daily, and chained ocspcheck
> and relayd reload.
>
> ~ ~ * * * acme-client honk.example.com && ocspcheck -No
> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
>
> Added "favicon.ico" and "icon.png" in the port $FILESDIR to be
> installed into $EXAMPLESDIR and @sample into /var/honk
>
> I haven't used DISTFILES because the icons are located on a private
> honk instance, not in the distribution repo. I sent a request upstream
> to include "favicon.ico" and "icon.png" in the honk repo so they'll
> install by default.
>
> Thank you both! Sorry for the long delay, I've been testing the new cron job.
>
> On 6/20/22, Stuart Henderson wrote:
> > On 2022/06/19 13:28, Horia Racoviceanu wrote:
> >> From my tests, The OCSP response is valid for a few hours e.g.
> >>
> >> Using http to host ocsp.buypass.com, port 80, path /
> >> OCSP response validated from ocsp.buypass.com
> >>This Update: Sun Jun 19 09:55:11 2022
> >>Next Update: Sun Jun 19 17:55:11 2022
> >>
> >> This is why I don't use "&&" to restart relayd when there's a new OCSP
> >> response without a certificate renewal or vice versa.
> >>
> >> relayd could restart only when there's a new OCSP response but I
> >> haven't tested it e.g.
> >>
> >> ~ * * * * acme-client honk.example.com; ocspcheck -No \
> >> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl restart relayd
> >>
> >> Or I could separate acme-client and ocspcheck cron jobs and use "&&"
> >> on both but I'm afraid there may be a few minutes of stale OCSP
> >> response e.g.
> >>
> >> ~ * * * * acme-client honk.example.com && rcctl restart relayd
> >> ~ * * * * ocspcheck -No ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt}
> >> && rcctl restart relayd
> >>
> >> What do you think?
> >
> > acme-client doesn't need to run every hour. Once a day is plenty.
> > You do really want to update OCSP if a cert has been renewed.
> >
> > Isn't "reload" enough? A full restart of relayd is rather disruptive
> > especially if it's running multiple services.
> >
> > Looking at the existing pkg-readme:
> >
> > : Icon and favicon
> > :
> > :
> > : honk# mkdir ${VARBASE}/www/htdocs/honk
> > : honk# ftp -o ${VARBASE}/www/htdocs/honk/icon.png \
> > : https://honk.tedunangst.com/icon.png
> > : honk# ftp -o ${VARBASE}/www/htdocs/honk/favicon.ico \
> > : https://honk.tedunangst.com/favicon.ico
> >
> > Why not include these in the package? Easiest way is probably to install
> > in /usr/local/share/examples/honk and @sample into /var/www.
> >
> >
Re: [MAINTAINER UPDATE] www/honk 0.9.7 -> 0.9.8
On 2022/06/19 13:28, Horia Racoviceanu wrote:
> From my tests, The OCSP response is valid for a few hours e.g.
>
> Using http to host ocsp.buypass.com, port 80, path /
> OCSP response validated from ocsp.buypass.com
>This Update: Sun Jun 19 09:55:11 2022
>Next Update: Sun Jun 19 17:55:11 2022
>
> This is why I don't use "&&" to restart relayd when there's a new OCSP
> response without a certificate renewal or vice versa.
>
> relayd could restart only when there's a new OCSP response but I
> haven't tested it e.g.
>
> ~ * * * * acme-client honk.example.com; ocspcheck -No \
> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl restart relayd
>
> Or I could separate acme-client and ocspcheck cron jobs and use "&&"
> on both but I'm afraid there may be a few minutes of stale OCSP
> response e.g.
>
> ~ * * * * acme-client honk.example.com && rcctl restart relayd
> ~ * * * * ocspcheck -No ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt}
> && rcctl restart relayd
>
> What do you think?
acme-client doesn't need to run every hour. Once a day is plenty.
You do really want to update OCSP if a cert has been renewed.
Isn't "reload" enough? A full restart of relayd is rather disruptive
especially if it's running multiple services.
Looking at the existing pkg-readme:
: Icon and favicon
:
:
: honk# mkdir ${VARBASE}/www/htdocs/honk
: honk# ftp -o ${VARBASE}/www/htdocs/honk/icon.png \
: https://honk.tedunangst.com/icon.png
: honk# ftp -o ${VARBASE}/www/htdocs/honk/favicon.ico \
: https://honk.tedunangst.com/favicon.ico
Why not include these in the package? Easiest way is probably to install
in /usr/local/share/examples/honk and @sample into /var/www.
