bundles/letsencrypt: remove ocsp stapling

This causes problems with weechat and dovecot. Those certificates
are short-lived, so not having OCSP stapling is probably fine.

bundles/letsencrypt/files/config

@@ -3,5 +3,3 @@ BASEDIR=/var/lib/dehydrated
 WELLKNOWN="${BASEDIR}/acme-challenges"
 DOMAINS_TXT="/etc/dehydrated/domains.txt"
 HOOK="/etc/dehydrated/hook.sh"
-OCSP_MUST_STAPLE="yes"
-OCSP_FETCH="yes"

bundles/letsencrypt/items.py

@@ -11,6 +11,9 @@ actions = {
         'needs': {
             'pkg_apt:dehydrated',
         },
+        'needed_by': {
+            'svc_systemd:nginx',
+        },
     },
 }
 
@@ -21,7 +24,11 @@ files = {
             'action:letsencrypt_update_certificates',
         },
     },
-    '/etc/dehydrated/config': {},
+    '/etc/dehydrated/config': {
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    },
     '/etc/dehydrated/hook.sh': {
         'content_type': 'mako',
         'mode': '0755',

bundles/nginx/files/site_template

@@ -14,9 +14,6 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_stapling_file /var/lib/dehydrated/certs/${domain}/ocsp.der;
 
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 5s;