Now that acme-chief is providing prefetched OCSP stapling responses, clients supporting it (nginx based ones) can start to use them
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Vgutierrez | T219765 Implement server-side OCSP stapling | |||
Resolved | Vgutierrez | T232988 Use acme-chief provided OCSP stapling responses |
Event Timeline
Change 537062 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Enable OCSP
Mentioned in SAL (#wikimedia-operations) [2019-09-16T10:45:08Z] <vgutierrez> Enabling OCSP prefetched responses for the non-canonical redirect service - T232988
Change 537062 merged by Vgutierrez:
[operations/puppet@production] ncredir: Enable OCSP
Change 537066 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] nagios_common: Provide a HTTPS check for LE with OCSP
Change 537067 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Check OCSP stapling on HTTPS icinga check
Change 537066 merged by Vgutierrez:
[operations/puppet@production] nagios_common: Provide a HTTPS check for LE with OCSP
Change 537067 merged by Vgutierrez:
[operations/puppet@production] ncredir: Check OCSP stapling on HTTPS icinga check
Change 537075 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ncredir: Monitor TLS handshake + OCSP stapling for every configured cert
Change 537075 merged by Vgutierrez:
[operations/puppet@production] ncredir: Monitor TLS handshake + OCSP stapling for every configured cert
Change 537593 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] install_server: Enable OCSP stapling and SSL monitoring
Change 537789 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief,ATS,tlsproxy: Move to acme-chief centrally managed OCSP responses
Change 537789 merged by Vgutierrez:
[operations/puppet@production] acme_chief,ATS,tlsproxy: Move to acme-chief centrally managed OCSP responses
Change 537923 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] acme_chief: Remove update-ocsp.d leftovers
Change 537927 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS,tlsproxy: ocsp parameter for acme_chief::cert is not needed anymore
Change 537923 merged by Vgutierrez:
[operations/puppet@production] acme_chief: Remove update-ocsp.d leftovers
Change 537927 merged by Vgutierrez:
[operations/puppet@production] ATS,tlsproxy: ocsp parameter for acme_chief::cert is not needed anymore
Change 537593 merged by Vgutierrez:
[operations/puppet@production] install_server: Enable OCSP stapling and SSL monitoring
Change 538165 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Adjust OCSP freshness check for acme-chief managed responses
Change 538165 merged by Vgutierrez:
[operations/puppet@production] ATS: Adjust OCSP freshness check for acme-chief managed responses
Change 538582 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/puppet@production] ATS: Set sysconfdir back as a read-only directory
Change 538582 merged by Vgutierrez:
[operations/puppet@production] ATS: Set sysconfdir back as a read-only directory
The swap of Traffic for Traffic-Icebox in this ticket's set of tags was based on a bulk action for all such tickets that haven't been updated in 6 months or more. This does not imply any human judgement about the validity or importance of the task, and is simply the first step in a larger task cleanup effort. Further manual triage and/or requests for updates will happen this month for all such tickets. For more detail, have a look at the extended explanation on the main page of Traffic-Icebox . Thank you!