From f7eb0cc1500f275940825c93b6e4878f12a0ec0d Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 19 Jul 2020 12:10:19 +0200
Subject: [PATCH] bundles/{letsencrypt,nginx}: fix ocsp stapling

---
 bundles/letsencrypt/files/config  | 2 ++
 bundles/letsencrypt/items.py      | 2 +-
 bundles/letsencrypt/metadata.py   | 2 +-
 bundles/nginx/files/site_template | 5 +++++
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/bundles/letsencrypt/files/config b/bundles/letsencrypt/files/config
index 2d4b2b6..5adad34 100644
--- a/bundles/letsencrypt/files/config
+++ b/bundles/letsencrypt/files/config
@@ -3,3 +3,5 @@ BASEDIR=/var/lib/dehydrated
 WELLKNOWN="${BASEDIR}/acme-challenges"
 DOMAINS_TXT="/etc/dehydrated/domains.txt"
 HOOK="/etc/dehydrated/hook.sh"
+OCSP_MUST_STAPLE="yes"
+OCSP_FETCH="yes"
diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py
index 4848411..5b2ceef 100644
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@@ -6,7 +6,7 @@ pkg_apt = {
 
 actions = {
     'letsencrypt_update_certificates': {
-        'command': 'dehydrated --cron --accept-terms --ocsp --challenge http-01',
+        'command': 'dehydrated --cron --accept-terms --challenge http-01',
         'triggered': True,
         'needs': {
             'pkg_apt:dehydrated',
diff --git a/bundles/letsencrypt/metadata.py b/bundles/letsencrypt/metadata.py
index 0c42592..e346ae8 100644
--- a/bundles/letsencrypt/metadata.py
+++ b/bundles/letsencrypt/metadata.py
@@ -2,7 +2,7 @@
 def crontab(metadata):
     return {
         'cron': {
-            'letsencrypt_renew': '20 4 * * *    root    /usr/bin/dehydrated --cron --accept-terms --ocsp --challenge http-01 > /dev/null',
+            'letsencrypt_renew': '20 4 * * *    root    /usr/bin/dehydrated --cron --accept-terms --challenge http-01 > /dev/null',
             'letsencrypt_cleanup': '42 23 * * 0    root    /usr/bin/dehydrated --cleanup > /dev/null',
         },
     }, DEFAULTS, DONE
diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
index ad7af96..df8bfd4 100644
--- a/bundles/nginx/files/site_template
+++ b/bundles/nginx/files/site_template
@@ -6,6 +6,7 @@ server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
+    ssl_trusted_certificate /var/lib/dehydrated/certs/${domain}/chain.pem;
     ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
     ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
@@ -15,6 +16,10 @@ server {
     ssl_session_cache shared:SSL:10m;
     ssl_stapling on;
     ssl_stapling_verify on;
+    ssl_stapling_file /var/lib/dehydrated/certs/${domain}/ocsp.der;
+
+    resolver 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
 
     add_header Strict-Transport-Security "max-age=31104000; preload";