On 2022/06/19 13:28, Horia Racoviceanu wrote:
> From my tests, The OCSP response is valid for a few hours e.g.
>
> Using http to host ocsp.buypass.com, port 80, path /
> OCSP response validated from ocsp.buypass.com
> This Update: Sun Jun 19 09:55:11 2022
> Next Update: Sun Jun 19 17:55:11 2022
>
> This is why I don't use "&&" to restart relayd when there's a new OCSP
> response without a certificate renewal or vice versa.
>
> relayd could restart only when there's a new OCSP response but I
> haven't tested it e.g.
>
> ~ * * * * acme-client honk.example.com; ocspcheck -No \
> ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt} && rcctl restart relayd
>
> Or I could separate acme-client and ocspcheck cron jobs and use "&&"
> on both but I'm afraid there may be a few minutes of stale OCSP
> response e.g.
>
> ~ * * * * acme-client honk.example.com && rcctl restart relayd
> ~ * * * * ocspcheck -No ${SYSCONFDIR}/ssl/honk.example.com.{ocsp,crt}
> && rcctl restart relayd
>
> What do you think?
acme-client doesn't need to run every hour. Once a day is plenty.
You do really want to update OCSP if a cert has been renewed.
Isn't "reload" enough? A full restart of relayd is rather disruptive
especially if it's running multiple services.
Looking at the existing pkg-readme:
: Icon and favicon
: ----------------
:
: honk# mkdir ${VARBASE}/www/htdocs/honk
: honk# ftp -o ${VARBASE}/www/htdocs/honk/icon.png \
: https://honk.tedunangst.com/icon.png
: honk# ftp -o ${VARBASE}/www/htdocs/honk/favicon.ico \
: https://honk.tedunangst.com/favicon.ico
Why not include these in the package? Easiest way is probably to install
in /usr/local/share/examples/honk and @sample into /var/www.
