Page MenuHomeDevCentral

Switch from certificates bundle to chain for nginx OCSP
AbandonedPublicDraft

Authored by dereckson on May 18 2025, 09:43.
Tags
None
Referenced Files
F10341293: D3637.id9405.diff
Mon, Jun 30, 20:09
F10340401: D3637.id9405.diff
Mon, Jun 30, 19:54
Unknown Object (File)
Sun, Jun 29, 13:11
Unknown Object (File)
Sun, Jun 29, 12:44
Unknown Object (File)
Sat, Jun 28, 22:11
Unknown Object (File)
Wed, Jun 25, 16:16
Unknown Object (File)
Tue, Jun 24, 00:39
Unknown Object (File)
Sun, Jun 22, 21:25
Subscribers
None

Details

Summary

Ref T2114.

Test Plan

nginx -t

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Errors
Unit
No Test Coverage
Branch
nginx-ocsp
Build Status
Buildable 5808
Build 6090: arc lint + arc unit

Event Timeline

dereckson held this revision as a draft.

TODO: add in EACH nginx configuration file ssl_trusted_certificate .../chain.pem;

Let's add all the configuration lines

This change touches Wolfplex files. As such, administrative approval is needed from Wolfplex technical contact.

I've still the following block on Dwellers:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/dwellers.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/artifacts.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/airflow.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/bugzilla.espace-win.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/jenkins.test.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/notifications.integration.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/forms.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/orange-rabbit.integration.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/vault-notifications.integration.nasqueron.org/fullchain.pem"

Tested also on docker-002, it works fine.

$ salt '*' nginx.version
dwellers:
    1.26.0
docker-002:
    1.22.1
hervil:
    1.26.2
web-001:
    1.26.2
windriver:
    1.26.2

Ref T2116.

Let's Encrypt doesn't support OCSP anymore.

We'll keep the bundle deletion but not the chain configuration.