Page MenuHomeDevCentral
Differential D3637

Switch from certificates bundle to chain for nginx OCSP
DraftPublic
Actions

Authored by dereckson on Sun, May 18, 09:43.
This is a draft revision that has not yet been submitted for review.

Details

Reviewers
DorianWinty
ledesillusionniste
Maniphest Tasks
T2114: Improve nginx SSL stapling configuration
Summary

Ref T2114.

Test Plan

nginx -t

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Errors
SeverityLocationCodeMessage
Errorutils/migrations/nginx-add-ssl-trusted-certificate.py:12F401flake8 F401
Errorutils/migrations/nginx-add-ssl-trusted-certificate.py:29E501flake8 E501
Errorutils/migrations/nginx-add-ssl-trusted-certificate.py:53E501flake8 E501
Unit
No Test Coverage
Branch
nginx-ocsp
Build Status
Buildable 5808
Build 6090: arc lint + arc unit

Event Timeline

dereckson created this revision.Sun, May 18, 09:43
dereckson held this revision as a draft.
Harbormaster completed remote builds in B5807: Diff 9405.Sun, May 18, 09:43
dereckson added a comment.Sun, May 18, 09:44

TODO: add in EACH nginx configuration file ssl_trusted_certificate .../chain.pem;

dereckson updated this revision to Diff 9406.Sun, May 18, 10:45

Let's add all the configuration lines

Herald added a reviewer: ledesillusionniste. · View Herald TranscriptSun, May 18, 10:45

This change touches Wolfplex files. As such, administrative approval is needed from Wolfplex technical contact.

Harbormaster completed remote builds in B5808: Diff 9406.Sun, May 18, 10:45
dereckson updated this revision to Diff 9407.Sun, May 18, 10:46

flake8/black

Harbormaster completed remote builds in B5809: Diff 9407.Sun, May 18, 10:46
dereckson added a comment.Sun, May 18, 11:01

I've still the following block on Dwellers:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/dwellers.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/artifacts.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/airflow.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/bugzilla.espace-win.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/jenkins.test.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/notifications.integration.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/forms.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/orange-rabbit.integration.nasqueron.org/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/srv/letsencrypt/etc/live/vault-notifications.integration.nasqueron.org/fullchain.pem"
dereckson added a comment.Sun, May 18, 11:05

Tested also on docker-002, it works fine.

$ salt '*' nginx.version
dwellers:
    1.26.0
docker-002:
    1.22.1
hervil:
    1.26.2
web-001:
    1.26.2
windriver:
    1.26.2

Revision Contents
Changeset List

PathSize
3 lines
roles/
devserver/
webserver-home/
files/
1 line
paas-docker/
nginx/
files/
vhosts/
1 line
1 line
1 line
base/
1 line
1 line
1 line
1 line
1 line
1 line
1 line
2 lines
1 line
1 line
5 lines
1 line
1 line
1 line
1 line
1 line
1 line
saas-mediawiki/
nginx/
files/
vhosts/
nasqueron.org/
1 line
1 line
test.ook.space/
1 line
shellserver/
web-hosting/
files/
eglide/
nginx/
vhosts/
1 line
webserver-alkane/
nginx/
files/
vhosts/
dereckson.be/
1 line
1 line
1 line
1 line
3 lines
1 line
1 line
espace-win.org/
1 line
1 line
3 lines
hypership.space/
2 lines
nasqueron.org/
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
1 line
2 lines
1 line
1 line
1 line
1 line
test.ook.space/
1 line
wolfplex.org/
4 lines
1 line
3 lines
webserver-core/
nginx/
16 lines
files/
includes/
8 lines
8 lines
utils/
migrations/
56 lines

Diff 9406

View Options

Makefile

Loading...
View Options

roles/devserver/webserver-home/files/001-server.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/_default.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/acme_dns.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/auth-grove.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/base/server.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/bugzilla.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/cachet.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/etherpad.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/hauk.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/jenkins.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/notifications.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/openfire.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/orbeon.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/penpot_web.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/phabricator.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/pixelfed.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/rabbitmq.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/registry.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/sentry.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/tommy.conf

Loading...
View Options

roles/paas-docker/nginx/files/vhosts/vault.conf

Loading...
View Options

roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/agora.conf

Loading...
View Options

roles/saas-mediawiki/nginx/files/vhosts/nasqueron.org/wikis.conf

Loading...
View Options

roles/saas-mediawiki/nginx/files/vhosts/test.ook.space/mediawiki.conf

Loading...
View Options

roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/assets.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/hg.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/mediawiki.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/scherzo.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/www51.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/dereckson.be/zed51.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/espace-win.org/cosmo.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/espace-win.org/grip.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/espace-win.org/www.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/hypership.space/www.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/admin.mail.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/api51.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/assets.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/autoconfig.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/daeghrefn.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docker.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/docs.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/drive.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/ftp.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/grafana.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/infra.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/join.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/labs.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/launch.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/mail.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/packages.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/rain.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/tools51.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/trustspace.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/nasqueron.org/www51.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/test.ook.space/migration.mediawiki.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/api.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/assets.conf

Loading...
View Options

roles/webserver-alkane/nginx/files/vhosts/wolfplex.org/www.conf

Loading...
View Options

roles/webserver-core/nginx/config.sls

Loading...
View Options

roles/webserver-core/nginx/files/includes/tls

Loading...
View Options

roles/webserver-core/nginx/files/includes/tls-modern-only

Loading...
View Options

utils/generate-ocsp-bundle.sh

Loading...
View Options

utils/migrations/nginx-add-ssl-trusted-certificate.py

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator