starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 23:23:32 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Which file for ssl_trusted_certificate in nginx conf with OCSP? #275

New Issue
Closed
opened 2025-12-29 01:20:51 +01:00 by adam · 6 comments
adam commented 2025-12-29 01:20:51 +01:00
Owner
Copy Link

Originally created by @pandark on GitHub (Jan 28, 2018).

I'm a bit confused about OCSP… I saw some talk about a .der file but there is no such file in ${CERTDIR}/<DOMAIN_NAME>/ where my .csr and .pem are, even though I set OCSP_FETCH and OCSP_MUST_STAPLE to "yes".

Should this file exist, or am I supposed to use fullchain.pem as I saw in some example config elsewhere?

Originally created by @pandark on GitHub (Jan 28, 2018). I'm a bit confused about OCSP… I saw some talk about a `.der` file but there is no such file in `${CERTDIR}/<DOMAIN_NAME>/` where my `.csr` and `.pem` are, even though I set `OCSP_FETCH` and `OCSP_MUST_STAPLE` to "yes". Should this file exist, or am I supposed to use `fullchain.pem` as I saw in some example config elsewhere?
adam closed this issue 2025-12-29 01:20:51 +01:00
adam commented 2025-12-29 01:20:52 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 28, 2018):

ssl_trusted_certificate has nothing to do with ocsp, that value in nginx is for client tls authentication.

With OCSP_FETCH=yes in your config you should get a certs/your.cert/ocsp.der file, which you can use by setting ssl_stapling_file "/etc/dehydrated/certs/your.cert/ocsp.der"; in your nginx configuration. If the ocsp.der link is missing double-check your config, it should be created when the dehydrated cron operation is running.

@lukas2511 commented on GitHub (Jan 28, 2018): `ssl_trusted_certificate` has nothing to do with ocsp, that value in nginx is for client tls authentication. With `OCSP_FETCH=yes` in your config you should get a `certs/your.cert/ocsp.der` file, which you can use by setting `ssl_stapling_file "/etc/dehydrated/certs/your.cert/ocsp.der";` in your nginx configuration. If the `ocsp.der` link is missing double-check your config, it should be created when the dehydrated cron operation is running.
adam commented 2025-12-29 01:20:52 +01:00
Author
Owner
Copy Link

@pandark commented on GitHub (Jan 29, 2018):

Ok. I was wrong on the nginx side.

Still, I have neither ocsp.der link nor ocsp-*.der file.
It may be because I'm using debian stretch version, though. It's still 0.3.1.

@pandark commented on GitHub (Jan 29, 2018): Ok. I was wrong on the nginx side. Still, I have neither `ocsp.der` link nor `ocsp-*.der` file. It may be because I'm using debian stretch version, though. It's still 0.3.1.
adam commented 2025-12-29 01:20:54 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 29, 2018):

@pandark ocsp stuff was introduced in 0.5.0 which should be in stretch-backports by now

@lukas2511 commented on GitHub (Jan 29, 2018): @pandark ocsp stuff was introduced in 0.5.0 which should be in stretch-backports by now
adam commented 2025-12-29 01:20:54 +01:00
Author
Owner
Copy Link

@pandark commented on GitHub (Jan 29, 2018):

Unfortunately, only 0.4.0 is in stretch-backport.
Until it's there, I'm using the dirty-hack way, fetching all hosts from domains.txt with curl when nginx start or reload and it seems to work.

for domain in $(/bin/cat /etc/dehydrated/domains.txt); do
    echo "fetching https://${domain}/";
    /usr/bin/curl --silent --cert-status "https://${domain}/" >/dev/null;
done;
@pandark commented on GitHub (Jan 29, 2018): Unfortunately, only 0.4.0 is in stretch-backport. Until it's there, I'm using the dirty-hack way, fetching all hosts from `domains.txt` with curl when nginx start or reload and it seems to work. ``` for domain in $(/bin/cat /etc/dehydrated/domains.txt); do echo "fetching https://${domain}/"; /usr/bin/curl --silent --cert-status "https://${domain}/" >/dev/null; done; ```
adam commented 2025-12-29 01:20:55 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jan 29, 2018):

@pandark your mirror must be a bit behind, dehydrated 0.5.0 was approved in stretch-backports a few hours ago: https://packages.debian.org/stretch-backports/dehydrated

@lukas2511 commented on GitHub (Jan 29, 2018): @pandark your mirror must be a bit behind, dehydrated 0.5.0 was approved in stretch-backports a few hours ago: https://packages.debian.org/stretch-backports/dehydrated
adam commented 2025-12-29 01:20:55 +01:00
Author
Owner
Copy Link

@pandark commented on GitHub (Jan 29, 2018):

Yep. Cool! After a few adjustments everything is working 👍
Thanks.

@pandark commented on GitHub (Jan 29, 2018): Yep. Cool! After a few adjustments everything is working 👍 Thanks.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#275
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?