bundles/letsencrypt: remove ocsp stapling

This causes problems with weechat and dovecot. Those certificates are short-lived, so not having OCSP stapling is probably fine.
2020-07-26 18:48:37 +02:00 · 2020-07-26 18:48:37 +02:00 · 7986f6ee7d
commit 7986f6ee7d
parent ae6e590bda
3 changed files with 8 additions and 6 deletions
--- a/bundles/letsencrypt/files/config
+++ b/bundles/letsencrypt/files/config
@ -3,5 +3,3 @@ BASEDIR=/var/lib/dehydrated
 WELLKNOWN="${BASEDIR}/acme-challenges"
 DOMAINS_TXT="/etc/dehydrated/domains.txt"
 HOOK="/etc/dehydrated/hook.sh"
-OCSP_MUST_STAPLE="yes"
-OCSP_FETCH="yes"
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@ -11,6 +11,9 @@ actions = {
        'needs': {
            'pkg_apt:dehydrated',
        },
+        'needed_by': {
+            'svc_systemd:nginx',
+        },
    },
 }

@ -21,7 +24,11 @@ files = {
            'action:letsencrypt_update_certificates',
        },
    },
-    '/etc/dehydrated/config': {},
+    '/etc/dehydrated/config': {
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    },
    '/etc/dehydrated/hook.sh': {
        'content_type': 'mako',
        'mode': '0755',
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@ -14,9 +14,6 @@ server {
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_stapling_file /var/lib/dehydrated/certs/${domain}/ocsp.der;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;