Vincent Bernat 1251b34b5b nixos/nginx: ensure TLS OCSP stapling works out of the box with LE
The recommended TLS configuration comes with `ssl_stapling on` and
`ssl_stapling_verify on`. However, this last directive also requires
the use of `ssl_trusted_certificate` to verify the received answer.
When using `enableACME` or similar, we can help the user by providing
the correct value for the directive.

The result can be tested with:

    openssl s_client -connect web.example.com:443 -status 2> /dev/null

Without OCSP stapling, we get:

    OCSP response: no response sent

After this change, we get:

    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Aug 30 20:46:00 2018 GMT
2018-08-30 22:47:41 +02:00
2018-08-27 19:54:41 -04:00
2018-08-28 23:18:55 +02:00
2018-07-06 12:48:43 -04:00
2018-01-04 17:59:52 -05:00

logo

Code Triagers Badge

Nixpkgs is a collection of packages for the Nix package manager. It is periodically built and tested by the Hydra build daemon as so-called channels. To get channel information via git, add nixpkgs-channels as a remote:

% git remote add channels https://github.com/NixOS/nixpkgs-channels.git

For stability and maximum binary package support, it is recommended to maintain custom changes on top of one of the channels, e.g. nixos-18.03 for the latest release and nixos-unstable for the latest successful build of master:

% git remote update channels
% git rebase channels/nixos-18.03

For pull-requests, please rebase onto nixpkgs master.

NixOS Linux distribution source code is located inside nixos/ folder.

Communication:

Description
No description provided
Readme 1.5 GiB
Languages
Nix 96.3%
Shell 1.8%
Python 0.7%
Perl 0.4%
C 0.3%
Other 0.1%