Re: mod_md usage for OCSP stapling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Steffen described the way to do it where you get the most benefits (thanks!). However, you not need to declare "MDomain"s for all your certificates. You can also just configure

MDStapling on

and *all* the certificates in your Apache will be stapled by mod_md.

more details: see <https://github.com/icing/mod_md#how-to-staple-all-my-certificates>


Cheers, Stefan


> Am 28.03.2020 um 11:28 schrieb Steffen <info@xxxxxxxxxxxxxxxx.INVALID>:
> 
> Yep very nice. In mod_status you can see :
> 
> Managed Staplings
> 
> Domain	Certificate ID	OCSP Status	Stapling Valid	Responder	Activity
> domain.com	3ff13e35fbe9d1ce4bcafbc3fd2ccd6ff5079eca	      good	until 2020-04-03	ocsp.int-x3.letsencrypt.org	Refresh in ~3 days
> 
> Try in global conf:
> 
> <MDomain domain.com www.domain.com ......> 
> MDCertificateFile conf/domain.com-chain.pem
> MDCertificateKeyFile conf/domain.com-key.pem 
> MDStapling on
> </MDomain>
> 
> MDMessageCmd c:/apache24/bin/MDMessageCmd.bat 
> MDNotifyCmd  c:/apache24/bin/MDNotifyCmd.bat
> 
> And Remove  the directives
> 
> SSLCertificateFile .....chain.pem
> SSLCertificateKeyFile ......key.pem 
> 
> See in the Readme.md the above directives.
> 
> The info is stored in MDStoreDir/ocsp
>  
> On Friday 27/03/2020 at 11:25, Marek Svent wrote:
>> Hi,
>> 
>> From 2.4 changelog I read that from next 2.4 release it's possible to
>> use mod_md OCSP stapling even for certificates not managed by mod_md.
>> It's very welcome as there is too many problems with mod_ssl stapling
>> code. However it's not clear for me how this could be configured.
>> 
>> I have many virtual hosts and none of the certificates is managed by
>> mod_md. However I'd like to switch to mod_md for stapling, but
>> continue to control per virtual host whether to staple at all. How do
>> I configure this?
>> 
>> Also it's unclear where stapling information is stored. MDStoreDir?
>> 
>> Regards,
>> 
>> -- 
>> Marek
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux