From 7986f6ee7d188ac65df1707601ed029b249c3643 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 26 Jul 2020 18:48:37 +0200
Subject: [PATCH] bundles/letsencrypt: remove ocsp stapling

This causes problems with weechat and dovecot. Those certificates
are short-lived, so not having OCSP stapling is probably fine.
---
 bundles/letsencrypt/files/config  | 2 --
 bundles/letsencrypt/items.py      | 9 ++++++++-
 bundles/nginx/files/site_template | 3 ---
 3 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/bundles/letsencrypt/files/config b/bundles/letsencrypt/files/config
index 5adad34..2d4b2b6 100644
--- a/bundles/letsencrypt/files/config
+++ b/bundles/letsencrypt/files/config
@@ -3,5 +3,3 @@ BASEDIR=/var/lib/dehydrated
 WELLKNOWN="${BASEDIR}/acme-challenges"
 DOMAINS_TXT="/etc/dehydrated/domains.txt"
 HOOK="/etc/dehydrated/hook.sh"
-OCSP_MUST_STAPLE="yes"
-OCSP_FETCH="yes"
diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py
index 5b2ceef..de48e04 100644
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@@ -11,6 +11,9 @@ actions = {
         'needs': {
             'pkg_apt:dehydrated',
         },
+        'needed_by': {
+            'svc_systemd:nginx',
+        },
     },
 }
 
@@ -21,7 +24,11 @@ files = {
             'action:letsencrypt_update_certificates',
         },
     },
-    '/etc/dehydrated/config': {},
+    '/etc/dehydrated/config': {
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    },
     '/etc/dehydrated/hook.sh': {
         'content_type': 'mako',
         'mode': '0755',
diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index df8bfd4..72d04b9 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -14,9 +14,6 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_stapling_file /var/lib/dehydrated/certs/${domain}/ocsp.der;
 
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 5s;