bundles/letsencrypt: remove ocsp stapling
All checks were successful
bundlewrap/pipeline/head This commit looks good

This causes problems with weechat and dovecot. Those certificates
are short-lived, so not having OCSP stapling is probably fine.
This commit is contained in:
Franzi 2020-07-26 18:48:37 +02:00
parent ae6e590bda
commit 7986f6ee7d
Signed by: kunsi
GPG key ID: 12E3D2136B818350
3 changed files with 8 additions and 6 deletions

View file

@ -3,5 +3,3 @@ BASEDIR=/var/lib/dehydrated
WELLKNOWN="${BASEDIR}/acme-challenges"
DOMAINS_TXT="/etc/dehydrated/domains.txt"
HOOK="/etc/dehydrated/hook.sh"
OCSP_MUST_STAPLE="yes"
OCSP_FETCH="yes"

View file

@ -11,6 +11,9 @@ actions = {
'needs': {
'pkg_apt:dehydrated',
},
'needed_by': {
'svc_systemd:nginx',
},
},
}
@ -21,7 +24,11 @@ files = {
'action:letsencrypt_update_certificates',
},
},
'/etc/dehydrated/config': {},
'/etc/dehydrated/config': {
'triggers': {
'action:letsencrypt_update_certificates',
},
},
'/etc/dehydrated/hook.sh': {
'content_type': 'mako',
'mode': '0755',

View file

@ -14,9 +14,6 @@ server {
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_stapling_file /var/lib/dehydrated/certs/${domain}/ocsp.der;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;