Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F8706295
D3637.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
52 KB
Referenced Files
None
Subscribers
None
D3637.diff
View Options
diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -34,9 +34,6 @@
repo: roles/webserver-core/nginx/files/ocsp-ca-certs.pem \
.git/hooks/pre-commit
-roles/webserver-core/nginx/files/ocsp-ca-certs.pem:
- utils/generate-ocsp-bundle.sh > roles/webserver-core/nginx/files/ocsp-ca-certs.pem
-
.git/hooks/pre-commit:
pre-commit install
diff --git a/roles/devserver/webserver-home/files/001-server.conf b/roles/devserver/webserver-home/files/001-server.conf
--- a/roles/devserver/webserver-home/files/001-server.conf
+++ b/roles/devserver/webserver-home/files/001-server.conf
@@ -21,6 +21,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/_default.conf b/roles/paas-docker/nginx/files/vhosts/_default.conf
--- a/roles/paas-docker/nginx/files/vhosts/_default.conf
+++ b/roles/paas-docker/nginx/files/vhosts/_default.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/acme_dns.conf b/roles/paas-docker/nginx/files/vhosts/acme_dns.conf
--- a/roles/paas-docker/nginx/files/vhosts/acme_dns.conf
+++ b/roles/paas-docker/nginx/files/vhosts/acme_dns.conf
@@ -31,6 +31,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/auth-grove.conf b/roles/paas-docker/nginx/files/vhosts/auth-grove.conf
--- a/roles/paas-docker/nginx/files/vhosts/auth-grove.conf
+++ b/roles/paas-docker/nginx/files/vhosts/auth-grove.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/base/server.conf b/roles/paas-docker/nginx/files/vhosts/base/server.conf
--- a/roles/paas-docker/nginx/files/vhosts/base/server.conf
+++ b/roles/paas-docker/nginx/files/vhosts/base/server.conf
@@ -33,6 +33,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/bugzilla.conf b/roles/paas-docker/nginx/files/vhosts/bugzilla.conf
--- a/roles/paas-docker/nginx/files/vhosts/bugzilla.conf
+++ b/roles/paas-docker/nginx/files/vhosts/bugzilla.conf
@@ -28,6 +28,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/cachet.conf b/roles/paas-docker/nginx/files/vhosts/cachet.conf
--- a/roles/paas-docker/nginx/files/vhosts/cachet.conf
+++ b/roles/paas-docker/nginx/files/vhosts/cachet.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/etherpad.conf b/roles/paas-docker/nginx/files/vhosts/etherpad.conf
--- a/roles/paas-docker/nginx/files/vhosts/etherpad.conf
+++ b/roles/paas-docker/nginx/files/vhosts/etherpad.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/hauk.conf b/roles/paas-docker/nginx/files/vhosts/hauk.conf
--- a/roles/paas-docker/nginx/files/vhosts/hauk.conf
+++ b/roles/paas-docker/nginx/files/vhosts/hauk.conf
@@ -33,6 +33,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/jenkins.conf b/roles/paas-docker/nginx/files/vhosts/jenkins.conf
--- a/roles/paas-docker/nginx/files/vhosts/jenkins.conf
+++ b/roles/paas-docker/nginx/files/vhosts/jenkins.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/notifications.conf b/roles/paas-docker/nginx/files/vhosts/notifications.conf
--- a/roles/paas-docker/nginx/files/vhosts/notifications.conf
+++ b/roles/paas-docker/nginx/files/vhosts/notifications.conf
@@ -28,6 +28,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/openfire.conf b/roles/paas-docker/nginx/files/vhosts/openfire.conf
--- a/roles/paas-docker/nginx/files/vhosts/openfire.conf
+++ b/roles/paas-docker/nginx/files/vhosts/openfire.conf
@@ -33,6 +33,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
@@ -62,6 +63,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/orbeon.conf b/roles/paas-docker/nginx/files/vhosts/orbeon.conf
--- a/roles/paas-docker/nginx/files/vhosts/orbeon.conf
+++ b/roles/paas-docker/nginx/files/vhosts/orbeon.conf
@@ -27,6 +27,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/penpot_web.conf b/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
--- a/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
+++ b/roles/paas-docker/nginx/files/vhosts/penpot_web.conf
@@ -40,6 +40,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/phabricator.conf b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
--- a/roles/paas-docker/nginx/files/vhosts/phabricator.conf
+++ b/roles/paas-docker/nginx/files/vhosts/phabricator.conf
@@ -38,6 +38,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/proxy_params;
proxy_redirect off;
@@ -83,6 +84,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
@@ -115,6 +117,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
@@ -153,6 +156,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
@@ -175,6 +179,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/pixelfed.conf b/roles/paas-docker/nginx/files/vhosts/pixelfed.conf
--- a/roles/paas-docker/nginx/files/vhosts/pixelfed.conf
+++ b/roles/paas-docker/nginx/files/vhosts/pixelfed.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf b/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
--- a/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
+++ b/roles/paas-docker/nginx/files/vhosts/rabbitmq.conf
@@ -33,6 +33,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/registry.conf b/roles/paas-docker/nginx/files/vhosts/registry.conf
--- a/roles/paas-docker/nginx/files/vhosts/registry.conf
+++ b/roles/paas-docker/nginx/files/vhosts/registry.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/sentry.conf b/roles/paas-docker/nginx/files/vhosts/sentry.conf
--- a/roles/paas-docker/nginx/files/vhosts/sentry.conf
+++ b/roles/paas-docker/nginx/files/vhosts/sentry.conf
@@ -28,6 +28,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/tommy.conf b/roles/paas-docker/nginx/files/vhosts/tommy.conf
--- a/roles/paas-docker/nginx/files/vhosts/tommy.conf
+++ b/roles/paas-docker/nginx/files/vhosts/tommy.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/paas-docker/nginx/files/vhosts/vault.conf b/roles/paas-docker/nginx/files/vhosts/vault.conf
--- a/roles/paas-docker/nginx/files/vhosts/vault.conf
+++ b/roles/paas-docker/nginx/files/vhosts/vault.conf
@@ -28,6 +28,7 @@
include includes/tls;
ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+ ssl_trusted_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/chain.pem;
include includes/letsencrypt;
diff --git a/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/agora.conf b/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/agora.conf
--- a/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/agora.conf
+++ b/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/agora.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/agora.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/agora.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/agora.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/agora-error.log;
access_log /var/log/www/nasqueron.org/agora-access.log;
diff --git a/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/wikis.conf b/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/wikis.conf
--- a/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/wikis.conf
+++ b/roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/wikis.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/wikis.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/wikis.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/wikis.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/wikis-error.log;
access_log /var/log/www/nasqueron.org/wikis-access.log;
diff --git a/roles/saas-mediawiki/nginx/files/vhosts/test.ook.space/mediawiki.conf b/roles/saas-mediawiki/nginx/files/vhosts/test.ook.space/mediawiki.conf
--- a/roles/saas-mediawiki/nginx/files/vhosts/test.ook.space/mediawiki.conf
+++ b/roles/saas-mediawiki/nginx/files/vhosts/test.ook.space/mediawiki.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/mediawiki.test.ook.space/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/mediawiki.test.ook.space/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/mediawiki.test.ook.space/chain.pem;
error_log /var/log/www/ook.space/mediawiki-test-error.log;
access_log /var/log/www/ook.space/mediawiki-test-access.log;
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
@@ -38,6 +38,7 @@
include includes/tls;
ssl_certificate /etc/letsencrypt/live/www.eglide.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.eglide.org/privkey.pem;
+ ssl_trusted_certificate /etc/letsencrypt/live/www.eglide.org/chain.pem;
###
### Main site
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/assets.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/assets.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/assets.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/assets.conf
@@ -21,6 +21,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/assets.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/assets.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/assets.dereckson.be/chain.pem;
error_log /var/log/www/dereckson.be/assets-error.log;
access_log /var/log/www/dereckson.be/assets-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/hg.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/hg.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/hg.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/hg.conf
@@ -21,6 +21,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/hg.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/hg.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/hg.dereckson.be/chain.pem;
error_log /var/log/www/dereckson.be/hg-error.log;
access_log /var/log/www/dereckson.be/hg-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/mediawiki.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/mediawiki.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/mediawiki.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/mediawiki.conf
@@ -29,6 +29,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/mediawiki.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/mediawiki.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/mediawiki.dereckson.be/chain.pem;
error_log /var/log/www/dereckson.be/mediawiki-error.log;
access_log /var/log/www/dereckson.be/mediawiki-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/scherzo.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/scherzo.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/scherzo.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/scherzo.conf
@@ -21,6 +21,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/scherzo.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/scherzo.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/scherzo.dereckson.be/chain.pem;
error_log /var/log/www/dereckson.be/scherzo-error.log;
access_log /var/log/www/dereckson.be/scherzo-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www.conf
@@ -22,6 +22,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/dereckson.be/chain.pem;
error_log /var/log/www/dereckson.be/www-error.log;
access_log /var/log/www/dereckson.be/www-access.log;
@@ -72,6 +73,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/dereckson.be/chain.pem;
include includes/letsencrypt;
@@ -88,6 +90,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/blog.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/blog.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/blog.dereckson.be/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www51.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www51.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www51.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www51.conf
@@ -26,6 +26,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www51.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www51.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www51.dereckson.be/chain.pem;
error_log /var/log/www/dereckson.be/www51-error.log;
access_log /var/log/www/dereckson.be/www51-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/zed51.conf b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/zed51.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/zed51.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/dereckson.be/zed51.conf
@@ -40,6 +40,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/zed51.dereckson.be/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/zed51.dereckson.be/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/zed51.dereckson.be/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/cosmo.conf b/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/cosmo.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/cosmo.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/cosmo.conf
@@ -24,6 +24,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/cosmo.espace-win.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/cosmo.espace-win.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/cosmo.espace-win.org/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/grip.conf b/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/grip.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/grip.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/grip.conf
@@ -21,6 +21,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/grip.espace-win.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/grip.espace-win.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/grip.espace-win.org/chain.pem;
error_log /var/log/www/espace-win.org/grip-error.log;
access_log /var/log/www/espace-win.org/grip-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/www.conf b/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/www.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/www.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/espace-win.org/www.conf
@@ -22,6 +22,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.espace-win.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.espace-win.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.espace-win.org/chain.pem;
error_log /var/log/www/espace-win.org/www-error.log;
access_log /var/log/www/espace-win.org/www-access.log;
@@ -49,6 +50,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.espace-win.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.espace-win.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.espace-win.org/chain.pem;
include includes/letsencrypt;
@@ -69,6 +71,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.espace-win.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.espace-win.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.espace-win.org/chain.pem;
error_log /var/log/www/espace-win.org/www51-error.log;
access_log /var/log/www/espace-win.org/www51-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf b/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf
@@ -23,6 +23,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/hypership.space/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/hypership.space/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/hypership.space/chain.pem;
error_log /var/log/www/hypership.space/www-error.log;
access_log /var/log/www/hypership.space/www-access.log;
@@ -111,6 +112,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/hypership.space/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/hypership.space/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/hypership.space/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/admin.mail.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/admin.mail.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/admin.mail.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/admin.mail.conf
@@ -26,6 +26,7 @@
include includes/tls;
ssl_certificate /var/certificates/admin.mail.nasqueron.org/fullchain.pem;
ssl_certificate_key /var/certificates/admin.mail.nasqueron.org/key.pem;
+ ssl_trusted_certificate /var/certificates/admin.mail.nasqueron.org/key.pem;
error_log /var/log/www/nasqueron.org/admin.mail-error.log;
access_log /var/log/www/nasqueron.org/admin.mail-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api.conf
@@ -49,6 +49,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/api.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/api-error.log;
access_log /var/log/www/nasqueron.org/api-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api51.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api51.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api51.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api51.conf
@@ -41,6 +41,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api51.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api51.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/api51.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/api51-error.log;
access_log /var/log/www/nasqueron.org/api51-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/assets.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/assets.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/assets.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/assets.conf
@@ -35,6 +35,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/assets.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/assets.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/assets.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/assets-error.log;
access_log /var/log/www/nasqueron.org/assets-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/autoconfig.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/autoconfig.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/autoconfig.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/autoconfig.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/autoconfig.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/autoconfig.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/autoconfig.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/autoconfig-error.log;
access_log /var/log/www/nasqueron.org/autoconfig-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/daeghrefn.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/daeghrefn.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/daeghrefn.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/daeghrefn.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/daeghrefn.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/daeghrefn.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/daeghrefn.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/daeghrefn-error.log;
access_log /var/log/www/nasqueron.org/daeghrefn-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docker.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docker.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docker.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docker.conf
@@ -22,6 +22,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/docker.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/docker.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/docker.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/docker-error.log;
access_log /var/log/www/nasqueron.org/docker-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docs.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docs.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docs.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docs.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/docs.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/docs.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/docs.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/docs-error.log;
access_log /var/log/www/nasqueron.org/docs-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/drive.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/drive.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/drive.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/drive.conf
@@ -36,6 +36,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/drive.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/drive.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/drive.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/drive-error.log;
access_log /var/log/www/nasqueron.org/drive-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/ftp.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/ftp.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/ftp.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/ftp.conf
@@ -22,6 +22,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/ftp.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/ftp.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/ftp.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/ftp-error.log;
access_log /var/log/www/nasqueron.org/ftp-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/grafana.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/grafana.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/grafana.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/grafana.conf
@@ -40,6 +40,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/grafana.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/grafana.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/grafana.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/grafana-error.log;
access_log /var/log/www/nasqueron.org/grafana-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/infra.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/infra.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/infra.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/infra.conf
@@ -34,6 +34,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/infra.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/infra.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/infra.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/infra-error.log;
access_log /var/log/www/nasqueron.org/infra-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/join.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/join.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/join.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/join.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/join.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/join.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/join.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/join-error.log;
access_log /var/log/www/nasqueron.org/join-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/labs.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/labs.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/labs.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/labs.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/labs.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/labs.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/labs.nasqueron.org/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/launch.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/launch.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/launch.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/launch.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/launch.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/launch.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/launch.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/launch-error.log;
access_log /var/log/www/nasqueron.org/launch-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/mail.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/mail.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/mail.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/mail.conf
@@ -24,6 +24,7 @@
include includes/tls;
ssl_certificate /var/certificates/mail.nasqueron.org/fullchain.pem;
ssl_certificate_key /var/certificates/mail.nasqueron.org/key.pem;
+ ssl_trusted_certificate /var/certificates/mail.nasqueron.org/key.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/packages.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/packages.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/packages.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/packages.conf
@@ -33,6 +33,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/packages.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/packages.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/packages.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/packages-error.log;
access_log /var/log/www/nasqueron.org/packages-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/rain.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/rain.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/rain.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/rain.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/rain.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/rain.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/rain.nasqueron.org/chain.pem;
include includes/letsencrypt;
@@ -55,6 +56,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/rain.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/rain.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/rain.nasqueron.org/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/tools51.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/tools51.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/tools51.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/tools51.conf
@@ -25,6 +25,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/tools51.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/tools51.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/tools51.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/tools51-error.log;
access_log /var/log/www/nasqueron.org/tools51-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/trustspace.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/trustspace.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/trustspace.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/trustspace.conf
@@ -22,6 +22,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/trustspace.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/trustspace.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/trustspace.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/trustspace-error.log;
access_log /var/log/www/nasqueron.org/trustspace-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www.conf
@@ -26,6 +26,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/www-error.log;
access_log /var/log/www/nasqueron.org/www-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www51.conf b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www51.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www51.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www51.conf
@@ -27,6 +27,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www51.nasqueron.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www51.nasqueron.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www51.nasqueron.org/chain.pem;
error_log /var/log/www/nasqueron.org/www51-error.log;
access_log /var/log/www/nasqueron.org/www51-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/test.ook.space/migration.mediawiki.conf b/roles/webserver-alkane/nginx/files/vhosts/test.ook.space/migration.mediawiki.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/test.ook.space/migration.mediawiki.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/test.ook.space/migration.mediawiki.conf
@@ -30,6 +30,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/migration.mediawiki.test.ook.space/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/migration.mediawiki.test.ook.space/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/migration.mediawiki.test.ook.space/chain.pem;
error_log /var/log/www/ook.space/migration-mediawiki-test-error.log;
access_log /var/log/www/ook.space/migration-mediawiki-test-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/api.conf b/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/api.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/api.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/api.conf
@@ -24,6 +24,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/chain.pem;
error_log /var/log/www/wolfplex.org/api-error.log;
access_log /var/log/www/wolfplex.org/api-access.log;
@@ -55,6 +56,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/chain.pem;
error_log /var/log/www/wolfplex.org/api51-error.log;
access_log /var/log/www/wolfplex.org/api51-access.log;
@@ -106,6 +108,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/chain.pem;
return 301 https://api.wolfplex.org$request_uri;
}
@@ -116,6 +119,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/api.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/api.wolfplex.org/chain.pem;
return 301 https://api51.wolfplex.org$request_uri;
}
diff --git a/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/assets.conf b/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/assets.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/assets.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/assets.conf
@@ -21,6 +21,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/assets.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/assets.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/assets.wolfplex.org/chain.pem;
error_log /var/log/www/wolfplex.org/assets-error.log;
access_log /var/log/www/wolfplex.org/assets-access.log;
diff --git a/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/www.conf b/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/www.conf
--- a/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/www.conf
+++ b/roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/www.conf
@@ -24,6 +24,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.wolfplex.org/chain.pem;
error_log /var/log/www/wolfplex.org/www-error.log;
access_log /var/log/www/wolfplex.org/www-access.log;
@@ -98,6 +99,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.wolfplex.org/chain.pem;
include includes/letsencrypt;
@@ -114,6 +116,7 @@
include includes/tls;
ssl_certificate /usr/local/etc/letsencrypt/live/www.wolfplex.org/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.wolfplex.org/privkey.pem;
+ ssl_trusted_certificate /usr/local/etc/letsencrypt/live/www.wolfplex.org/chain.pem;
include includes/letsencrypt;
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -81,22 +81,6 @@
- name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
- creates: {{ dirs.etc }}/nginx/dhparams.pem
-# -------------------------------------------------------------
-# OCSP - Online Certificate Status Protocol
-#
-# To allow nginx to verify TLS certificate presented by CA
-# when it makes requests to the CRL, a bundle of CA certificates
-# should be available.
-#
-# To generate the bundle file on this repository, use `make`.
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/usr/local/share/certs/ocsp-ca-certs.pem:
- file.managed:
- - source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
- - makedirs: True
- - mode: 644
-
# -------------------------------------------------------------
# Logs
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/webserver-core/nginx/files/includes/tls b/roles/webserver-core/nginx/files/includes/tls
--- a/roles/webserver-core/nginx/files/includes/tls
+++ b/roles/webserver-core/nginx/files/includes/tls
@@ -56,17 +56,9 @@
# To improve TLS handshake speed, and to help protecting the
# privacy of the users connecting here, as there isn't any need
# for them to connect to the CRL anymore, OSCP is enabled.
-#
-# The parameter `ssl_trusted_certificate` points to a bundle
-# of CA certificates, currently containing Let's Encrypt
-# intermediate and root certificates. If *any* certificate
-# is issued by another CA, their certificates must be added
-# to the bundle too.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ssl_stapling on;
ssl_stapling_verify on;
-ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
-
resolver 127.0.0.1;
diff --git a/roles/webserver-core/nginx/files/includes/tls-modern-only b/roles/webserver-core/nginx/files/includes/tls-modern-only
--- a/roles/webserver-core/nginx/files/includes/tls-modern-only
+++ b/roles/webserver-core/nginx/files/includes/tls-modern-only
@@ -53,17 +53,9 @@
# To improve TLS handshake speed, and to help protecting the
# privacy of the users connecting here, as there isn't any need
# for them to connect to the CRL anymore, OSCP is enabled.
-#
-# The parameter `ssl_trusted_certificate` points to a bundle
-# of CA certificates, currently containing Let's Encrypt
-# intermediate and root certificates. If *any* certificate
-# is issued by another CA, their certificates must be added
-# to the bundle too.
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ssl_stapling on;
ssl_stapling_verify on;
-ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem;
-
resolver 127.0.0.1;
diff --git a/utils/generate-ocsp-bundle.sh b/utils/generate-ocsp-bundle.sh
deleted file mode 100755
--- a/utils/generate-ocsp-bundle.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/sh
-
-# -------------------------------------------------------------
-# rOPS — generate OCSP bundle with CA certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-# -------------------------------------------------------------
-# Let's encrypt
-#
-# Active certificates:
-# - Let’s Encrypt R10 - signed by ISRG Root X1
-# - Let’s Encrypt R11 - signed by ISRG Root X1
-# - Let’s Encrypt E5 - signed by ISRG Root X1 and X2
-# - Let’s Encrypt E6 - signed by ISRG Root X1 and X2
-#
-# Backup certificates:
-# - Let’s Encrypt R12 - signed by ISRG Root X1
-# - Let’s Encrypt R13 - signed by ISRG Root X1
-# - Let’s Encrypt R14 - signed by ISRG Root X1
-# - Let’s Encrypt E7 - signed by ISRG Root X1 and X2
-# - Let’s Encrypt E8 - signed by ISRG Root X1 and X2
-# - Let’s Encrypt E9 - signed by ISRG Root X1 and X2
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-curl -sS https://letsencrypt.org/certs/2024/r10.pem
-curl -sS https://letsencrypt.org/certs/2024/r11.pem
-curl -sS https://letsencrypt.org/certs/2024/r12.pem
-curl -sS https://letsencrypt.org/certs/2024/r13.pem
-curl -sS https://letsencrypt.org/certs/2024/r14.pem
-
-curl -sS https://letsencrypt.org/certs/2024/e5.pem
-curl -sS https://letsencrypt.org/certs/2024/e6.pem
-curl -sS https://letsencrypt.org/certs/2024/e7.pem
-curl -sS https://letsencrypt.org/certs/2024/e8.pem
-curl -sS https://letsencrypt.org/certs/2024/e9.pem
-
-curl -sS https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
-curl -sS https://letsencrypt.org/certs/isrg-root-x2-cross-signed.pem
diff --git a/utils/migrations/nginx-add-ssl-trusted-certificate.py b/utils/migrations/nginx-add-ssl-trusted-certificate.py
new file mode 100755
--- /dev/null
+++ b/utils/migrations/nginx-add-ssl-trusted-certificate.py
@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+
+# -------------------------------------------------------------
+# nginx :: add ssl_trusted_certificate for T2114
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Add ssl_trusted_certificate in vhosts config
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+
+import sys
+
+
+# -------------------------------------------------------------
+# nginx
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def decorate_config_file(config_path):
+ output_lines = []
+
+ with open(config_path) as fd:
+ for line in fd:
+ output_lines.append(line)
+
+ if line.strip().startswith("ssl_certificate_key"):
+ extra_line = line.replace("privkey.pem", "chain.pem").replace(
+ "ssl_certificate_key", "ssl_trusted_certificate"
+ )
+ output_lines.append(extra_line)
+
+ with open(config_path, "w") as fd:
+ fd.writelines(output_lines)
+
+
+# -------------------------------------------------------------
+# Application entry point
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def run(to_process_paths):
+ for to_process_path in to_process_paths:
+ try:
+ decorate_config_file(to_process_path)
+ except Exception as e:
+ print(f"Error processing {to_process_path}: {e}", file=sys.stderr)
+
+
+if __name__ == "__main__":
+ argc = len(sys.argv)
+
+ if argc < 2:
+ print(
+ f"Usage: {sys.argv[0]} <config file> [<config file> ...]", file=sys.stderr
+ )
+ sys.exit(1)
+
+ run(sys.argv[1:])
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, May 19, 21:40 (20 h, 8 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2668666
Default Alt Text
D3637.diff (52 KB)
Attached To
Mode
D3637: Switch from certificates bundle to chain for nginx OCSP
Attached
Detach File
Event Timeline
Log In to Comment