Welcome.
The question is then, why the OCSP staple file expires after hours or 7
days and the certificate will be renewed after 60 days following man 1
acme-client
-F Force certificate renewal, even if it has more than 30 days
validity.
It can't be the idea to have so long a expired OCSP file (saw Firefox in
the past complain when a outdated OCSP file exists). So, if you replace
the first && with a ; nothing will change as the last && to reload
relayd will only happen if the cert or the OCSP file (or both) was
renewed and if booth are up to date nothing will happen.
Just my 2 cents.
Regards,
Christoph
Am 30.07.22 um 19:07 schrieb Horia Racoviceanu:
Thanks for testing!
As Stuart Henderson mentioned,
You do really want to update OCSP if a cert has been renewed.
On 7/29/22, Christoph Roland Winter <me@the.floof.rocks> wrote:
Hello,
I have only kept the first message and was some time not subscribed to
the list - lets see, where the message ends.
I tried the latest patch from
https://marc.info/?l=openbsd-ports&m=165827470732358&q=p3 and it worked
fine using
OpenBSD 7.2-beta (GENERIC.MP) #654: Wed Jul 27 20:10:05 MDT 2022 and the
-current ports tree using amd64.
Maybe I am wrong but the crontab from the above patch
+~ ~ * * * acme-client honk.example.com && ocspcheck -No
${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl reload relayd
needs to be modified. The first && must be replaced with ; (or splited
in 2 cron jobs). As it is now, the ocsp file gets only renewed all 60
days, as acme-client renews the certificate only 30 days before it
expires (checked with the -v option and as nothing happened before, &&
stops at this point). BTW my ocsp file with the above command is valid
for 7 days.
ocspcheck -vNo /etc/ssl/the.floof.rocks.{ocsp,crt}
Using http to host r3.o.lencr.org, port 80, path /
OCSP response validated from r3.o.lencr.org
This Update: Thu Jul 28 15:00:00 2022
Next Update: Thu Aug 4 14:59:58 2022
The only thing I did was using the /etc/examples/acme-client.conf file,
added my email and added the domain blocks.
Regards,
Christoph
Am 01.06.22 um 23:37 schrieb Horia Racoviceanu:
Upgrade to v0.9.8
- Add MESSAGE
- Update README
changelog
=== 0.9.8 Tentative Tentacle
+ Switch database to WAL mode.
- go version 1.16 required.
+ Specify banner: image in profile.
+ Update activity compatibility with mastodon.
- Signed fetch.
+ Better unicode hashtags.
+ Some more configuration options.
+ Some UI improvements to web interface.
+ Add atme class to mentions
+ Improvements to the mastodon importer.
+ More hydration capable pages.
+ Support for local.js.
+ Better error messages for timeouts.
+ Some improved html and markdown.