Ref T2114.
Details
Details
- Reviewers
DorianWinty ledesillusionniste - Maniphest Tasks
- T2114: Improve nginx SSL stapling configuration
nginx -t
Diff Detail
Diff Detail
- Repository
- rOPS Nasqueron Operations
- Lint
Lint Errors Severity Location Code Message Error utils/migrations/nginx-add-ssl-trusted-certificate.py:12 F401 flake8 F401 Error utils/migrations/nginx-add-ssl-trusted-certificate.py:29 E501 flake8 E501 Error utils/migrations/nginx-add-ssl-trusted-certificate.py:53 E501 flake8 E501 - Unit
No Test Coverage - Branch
- nginx-ocsp
- Build Status
Buildable 5808 Build 6090: arc lint + arc unit
Event Timeline
Comment Actions
This change touches Wolfplex files. As such, administrative approval is needed from Wolfplex technical contact.
Comment Actions
I've still the following block on Dwellers:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/dwellers.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/artifacts.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/airflow.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/bugzilla.espace-win.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/jenkins.test.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/notifications.integration.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/forms.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/orange-rabbit.integration.nasqueron.org/fullchain.pem" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/vault-notifications.integration.nasqueron.org/fullchain.pem"
Comment Actions
Tested also on docker-002, it works fine.
$ salt '*' nginx.version dwellers: 1.26.0 docker-002: 1.22.1 hervil: 1.26.2 web-001: 1.26.2 windriver: 1.26.2
Comment Actions
Ref T2116.
Let's Encrypt doesn't support OCSP anymore.
We'll keep the bundle deletion but not the chain configuration.