spielwiese. (Posts about ssl.)https://spielwiese.fontein.de/tag/ssl.atom2024-01-05T07:10:20ZfelixNikolalet's encrypt: wildcard certs and certificate transparency.https://spielwiese.fontein.de/2018/03/31/lets-encrypt-wildcard-certs-and-certificate-transparency/2018-03-31T16:17:12+02:002018-03-31T16:17:12+02:00felix<p>this year, <a class="reference external" href="https://letsencrypt.org/">let's encrypt</a> added two great features:</p>
<ol class="arabic simple">
<li><p>they enabled the <a class="reference external" href="https://tools.ietf.org/html/draft-ietf-acme-acme-11">acme v2 protocol</a>, and allow to obtain <a class="reference external" href="https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578">wildcard certificates</a> through this.</p></li>
<li><p>they improved their <a class="reference external" href="https://en.wikipedia.org/wiki/Certificate_Transparency">certificate transparency</a> support by <a class="reference external" href="https://community.letsencrypt.org/t/signed-certificate-timestamps-embedded-in-certificates/57187">including signed certificate timestamp (sct) records</a> in the certificates. chrome will, for example, <a class="reference external" href="https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/sz_3W_xKBNY/6jq2ghJXBAAJ">require scts from april 2018 on</a>.</p></li>
</ol>
<p>i've already tried out both wildcard certificates and scts, and so far they work flawlessly! i've been using the acme v2 support in the <a class="reference external" href="https://docs.ansible.com/ansible/latest/modules/letsencrypt_module.html">letsencrypt</a> module of <a class="reference external" href="https://github.com/ansible/ansible/releases/tag/v2.5.0">ansible 2.5</a> (<a class="reference external" href="https://github.com/ansible/ansible/pull/37572">with a bugfix</a>), into which i invested quite some work.</p>finally, openssl 1.1.0!https://spielwiese.fontein.de/2017/04/28/finally-openssl-1.1.0/2017-04-28T23:24:55+02:002017-04-28T23:24:55+02:00felix<p>four days ago, <a class="reference external" href="https://en.wikipedia.org/wiki/Arch_Linux">arch linux</a> switched to <a class="reference external" href="https://en.wikipedia.org/wiki/OpenSSL#Major_version_releases">openssl 1.1.0</a>. openssl 1.1.0 was originally released at the end of last august, but since it has some breaking api changes, it's only slowly creeping into new linux distributions.</p>
<p>this also means that i can finally test my <a class="reference external" href="https://github.com/felixfontein/acme-compact">let's encrypt library</a>, <a class="reference external" href="https://github.com/felixfontein/letsencrypt-ansible/">let's encrypt ansible role</a> and <a class="reference external" href="https://github.com/felixfontein/ocspbot/">ocspbot</a> against openssl 1.1.0. the let's encrypt code worked out of the box (i've already incorporated a change somewhen earlier, even without being able to properly test it), but ocspbot needed a bit more work. there's a command line syntax change between 1.0.x and 1.1.0 when specifying http headers to ocsp calls; the old syntax was <code class="docutils literal"><span class="pre">-header</span> name value</code>, the new one is <code class="docutils literal"><span class="pre">-header</span> name=value</code>. so i had to add a version detection (i.e. parsing the output of <code class="docutils literal">openssl version</code>) to use the correct syntax depending on the used version. but now it works with both openssl 1.0.x and 1.1.0!</p>
<p>using openssl 1.1.0 on my server also allowed me to use <a class="reference external" href="https://en.wikipedia.org/wiki/X25519">x25519</a>, using <a class="reference external" href="https://en.wikipedia.org/wiki/Daniel_J._Bernstein">daniel j. bernstein</a>'s <a class="reference external" href="https://en.wikipedia.org/wiki/Curve25519">curve25519</a> in <a class="reference external" href="https://en.wikipedia.org/wiki/Edwards_curve">edwards form</a>, for secret key negotation (i.e. ephemeral <a class="reference external" href="https://en.wikipedia.org/wiki/Diffie-Hellman_key_exchange">diffie-hellman</a>). using it in nginx is pretty easy:</p>
<div class="code"><pre class="code nginx"><a id="rest_code_ecdd28714985435595c86d0d32d56c8f-1" name="rest_code_ecdd28714985435595c86d0d32d56c8f-1" href="https://spielwiese.fontein.de/2017/04/28/finally-openssl-1.1.0/#rest_code_ecdd28714985435595c86d0d32d56c8f-1"></a><span class="k">ssl_ecdh_curve</span><span class="w"> </span><span class="s">X25519:secp521r1:secp384r1</span><span class="p">;</span>
</pre></div>
<p>this uses x25519 as the default curve/key exchange, followed by the fallsbacks using <a class="reference external" href="https://en.wikipedia.org/wiki/ECDHE">ecdhe</a> with a 521-bit <a class="reference external" href="https://en.wikipedia.org/wiki/Elliptic_curve_cryptography#Fast_reduction_.28NIST_curves.29">nist curve</a> and then a 384-bit nist curve as a third fallback. (btw, note the uppercase x in x25519 — if you use the lowercase variant, nginx won't load the config.) the third curve is the only one supported by almost every browser; only a few support the 521-bit one, and right now only chrome supports x25519.</p>ocsp staplinghttps://spielwiese.fontein.de/2017/04/23/ocsp-stapling/2017-04-23T20:31:16+02:002017-04-23T20:31:16+02:00felix<section id="introduction">
<h2>introduction</h2>
<p>classically, revokation of <a class="reference external" href="https://en.wikipedia.org/wiki/Digital_certificate">certificates</a> was accomplished with <a class="reference external" href="https://en.wikipedia.org/wiki/Revocation_list">certificate revokation lists (crls)</a>. the idea was that browsers regularly download crls from the <a class="reference external" href="https://en.wikipedia.org/wiki/Certificate_authority">certificate authorities (cas)</a> and check whether certificates they see are on the list. this doesn't scale well, though. nowadays, there are many cas trusted by browsers in their default configuration, and crls tend to get huge.</p>
<p>a better solution is the <a class="reference external" href="https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol">online certificate status protocol (ocsp)</a>: a browser, when encountering a new certificate, asks the ocsp server of the browser (the url for it is contained in the certificate) whether the certificate is still valid. this has several downsides as well: first, ocsp servers are not always reliable. if a browser cannot connect to it (or doesn't get a reply), what should it do? deny access to the site? besides that, there's another large downside: privacy. the ocsp server knows which page you are visiting, because the browser tells it by asking whether its certificate is valid.</p>
<p><a class="reference external" href="https://en.wikipedia.org/wiki/OCSP_stapling">ocsp stapling</a> was invented to improve upon this: the idea is that the webserver itself asks the ocsp server for the status of its certificate, and delivers the answer together with the certificate to the connecting browser. as the ocsp response is signed by the cas certificate, the browser can verify that the response is valid. also, the expiration time of ocsp responses is much less than the one for certificates, so if a certificate is revoked, existing ocsp responses will only be valid for a couple of more days.</p>
<p>this is pretty good already, except that a malicious webserver could simply not send the ocsp response with its certificate. if a browser cannot contact the ocsp server itself, it has no way to know whether the certificate is revoked or not. to overcome this, <a class="reference external" href="https://scotthelme.co.uk/ocsp-must-staple/">ocsp must-staple</a> was invented. this is a flag in the certificate itself which says that the certificate is only valid with a valid and good ocsp response. so if a browser encounters a certificate with this flag, and the webserver isn't ocsp stapling, the browser knows that something is fishy.</p>
<p>unfortunately, there are some downsides. first, most the most common webservers for linux, <a class="reference external" href="https://en.wikipedia.org/wiki/Apache_HTTP_Server">apache</a> and <a class="reference external" href="https://en.wikipedia.org/wiki/Nginx">nginx</a>, while having ocsp stapling support, do in some situations send replies without ocsp stapling. if the certificate has the ocsp must-staple flag set, these answers result in error pages shown in browsers. and that's something you really want to avoid, that visitors of your page thing there's something bad happening.</p>
<p>fortunately, at least for nginx, you can specify a file containing an ocsp response directly with the <a class="reference external" href="http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file"><code class="docutils literal">ssl_stapling_file</code> directive</a>. unfortunately, you have to make sure you always have a good and valid ocsp response at that place, and reload nginx in case the response is updated. other programs allow to specify an ocsp response in a similar way, such as <a class="reference external" href="https://en.wikipedia.org/wiki/Exim">exim</a> with the <a class="reference external" href="http://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp_connections_using_tlsssl.html#SECID184"><code class="docutils literal">tls_ocsp_file</code> directive</a>, and thus have the same problem. to solve this problem, i've started creating ocsp bot:</p>
</section>
<section id="ocsp-bot">
<h2>ocsp bot</h2>
<p><a class="reference external" href="https://github.com/felixfontein/ocspbot/">ocsp bot</a> is a python script which should be called frequently (as in: once per hour or so), which checks a set of <a class="reference external" href="https://en.wikipedia.org/wiki/X.509">x.509</a> certificates to obtain up-to-date ocsp responses. in case the current ocsp responses will expire soon, or aren't there, it will try to get a new response. it will only copy the new response to the correct place if it is valid and good. calling it frequently will ensure that in case of problems getting a new response, it will retry every hour (or so) until a good and valid response could have been obtained. so a user response is only necessary if the process fails several times in a row.</p>
<p>ocsp bot will signal with its exit code whether responses have been updated, allowing to reload/restart the corresponding service to use the new response.</p>
<p>you can install ocsp bot with <code class="docutils literal">pip install ocsp</code> from <a class="reference external" href="https://pypi.python.org/pypi/ocspbot/">pypi</a>.</p>
</section>
<section id="integration-with-ansible">
<h2>integration with ansible</h2>
<p>i'm using <a class="reference external" href="https://spielwiese.fontein.de/tag/ansible">ansible</a> to configure my server. to copy certificates and obtain ocsp responses, i'm using a custom role.</p>
<p>the ansible tasks for the role are as follows. ocsp bot is installed in <code class="docutils literal">/var/www/ocsp</code>:</p>
<div class="code"><pre class="code yaml+jinja"><a id="rest_code_d593cd582bb94bc3985373cf382f7c11-1" name="rest_code_d593cd582bb94bc3985373cf382f7c11-1" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-1"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create OCSP log folder</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-2" name="rest_code_d593cd582bb94bc3985373cf382f7c11-2" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-2"></a><span class="w"> </span><span class="nt">file</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dest=/var/www/ocsp/logs state=directory</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-3" name="rest_code_d593cd582bb94bc3985373cf382f7c11-3" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-3"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Create OCSP response folder</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-4" name="rest_code_d593cd582bb94bc3985373cf382f7c11-4" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-4"></a><span class="w"> </span><span class="nt">file</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dest=/var/www/ocsp/responses state=directory</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-5" name="rest_code_d593cd582bb94bc3985373cf382f7c11-5" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-5"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Install pyyaml</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-6" name="rest_code_d593cd582bb94bc3985373cf382f7c11-6" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-6"></a><span class="w"> </span><span class="nt">pip</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">name=pyyaml</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-7" name="rest_code_d593cd582bb94bc3985373cf382f7c11-7" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-7"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Install OCSP response utility</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-8" name="rest_code_d593cd582bb94bc3985373cf382f7c11-8" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-8"></a><span class="w"> </span><span class="nt">copy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">src=ocspbot.py dest=/var/www/ocsp/ocspbot.py mode=0755</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-9" name="rest_code_d593cd582bb94bc3985373cf382f7c11-9" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-9"></a><span class="w"> </span><span class="c1"># ocspbot.py is ocspbot/__main__.py from https://github.com/felixfontein/ocspbot/</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-10" name="rest_code_d593cd582bb94bc3985373cf382f7c11-10" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-10"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Install OCSP bash script</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-11" name="rest_code_d593cd582bb94bc3985373cf382f7c11-11" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-11"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">src=ocspbot.sh.j2 dest=/var/www/ocsp/ocspbot.sh mode=0755</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-12" name="rest_code_d593cd582bb94bc3985373cf382f7c11-12" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-12"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Install OCSP response utility configurations</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-13" name="rest_code_d593cd582bb94bc3985373cf382f7c11-13" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-13"></a><span class="w"> </span><span class="nt">template</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">src=ocspbot.yaml.j2 dest=/var/www/ocsp/ocspbot-</span><span class="cp">{{</span> <span class="nv">item.key</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">.yaml</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-14" name="rest_code_d593cd582bb94bc3985373cf382f7c11-14" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-14"></a><span class="w"> </span><span class="nt">with_dict</span><span class="p">:</span><span class="w"> </span><span class="s">"</span><span class="cp">{{</span> <span class="nv">certificates</span> <span class="cp">}}</span><span class="s">"</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-15" name="rest_code_d593cd582bb94bc3985373cf382f7c11-15" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-15"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Install OCSP response cronjob</span>
<a id="rest_code_d593cd582bb94bc3985373cf382f7c11-16" name="rest_code_d593cd582bb94bc3985373cf382f7c11-16" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_d593cd582bb94bc3985373cf382f7c11-16"></a><span class="w"> </span><span class="nt">cron</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">name="Update OCSP responses" hour=* minute=0 job=/var/www/ocsp/ocspbot.sh state=present</span>
</pre></div>
<p>the variable <code class="docutils literal">certificates</code> is defined as follows:</p>
<div class="code"><pre class="code yaml+jinja"><a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-1" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-1" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-1"></a><span class="nt">certificates</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-2" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-2" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-2"></a><span class="w"> </span><span class="nt">nginx</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-3" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-3" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-3"></a><span class="w"> </span><span class="nt">domains</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-4" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-4" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-4"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example.com</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-5" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-5" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-5"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">example.net</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-6" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-6" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-6"></a><span class="w"> </span><span class="nt">reload</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-7" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-7" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">nginx</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-8" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-8" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-8"></a><span class="w"> </span><span class="nt">key_owner</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">root</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-9" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-9" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-9"></a><span class="w"> </span><span class="nt">key_group</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">root</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-10" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-10" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-10"></a><span class="w"> </span><span class="nt">key_mode</span><span class="p">:</span><span class="w"> </span><span class="s">"0400"</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-11" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-11" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-11"></a><span class="w"> </span><span class="nt">mailserver</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-12" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-12" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-12"></a><span class="w"> </span><span class="nt">domains</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-13" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-13" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-13"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">mail.example.com</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-14" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-14" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-14"></a><span class="w"> </span><span class="nt">reload</span><span class="p">:</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-15" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-15" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-15"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">dovecot</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-16" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-16" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-16"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">exim</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-17" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-17" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-17"></a><span class="w"> </span><span class="nt">key_owner</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">root</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-18" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-18" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-18"></a><span class="w"> </span><span class="nt">key_group</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">exim</span>
<a id="rest_code_1c7630e1de3e4443a2dd6379857c7da9-19" name="rest_code_1c7630e1de3e4443a2dd6379857c7da9-19" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_1c7630e1de3e4443a2dd6379857c7da9-19"></a><span class="w"> </span><span class="nt">key_mode</span><span class="p">:</span><span class="w"> </span><span class="s">"0440"</span>
</pre></div>
<p>The template for <code class="docutils literal">ocspbot.sh</code>:</p>
<div class="code"><pre class="code bash"><a id="rest_code_f3b11e5e28144f1b9165581a70b37644-1" name="rest_code_f3b11e5e28144f1b9165581a70b37644-1" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-1"></a><span class="ch">#!/bin/bash</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-2" name="rest_code_f3b11e5e28144f1b9165581a70b37644-2" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-2"></a><span class="nv">RC</span><span class="o">=</span><span class="m">0</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-3" name="rest_code_f3b11e5e28144f1b9165581a70b37644-3" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-3"></a><span class="o">{</span>%<span class="w"> </span><span class="k">for</span><span class="w"> </span>name,<span class="w"> </span>data<span class="w"> </span><span class="k">in</span><span class="w"> </span>certificates<span class="p">|</span>dictsort<span class="w"> </span>%<span class="o">}</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-4" name="rest_code_f3b11e5e28144f1b9165581a70b37644-4" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-4"></a>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-5" name="rest_code_f3b11e5e28144f1b9165581a70b37644-5" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-5"></a><span class="c1"># Renew OCSP responses for {{ name }}</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-6" name="rest_code_f3b11e5e28144f1b9165581a70b37644-6" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-6"></a>/var/www/ocsp/ocspbot.py<span class="w"> </span>/home/ocsp/ocspbot-<span class="o">{{</span><span class="w"> </span>name<span class="w"> </span><span class="o">}}</span>.yaml
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-7" name="rest_code_f3b11e5e28144f1b9165581a70b37644-7" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-7"></a><span class="nv">RESULT</span><span class="o">=</span><span class="nv">$?</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-8" name="rest_code_f3b11e5e28144f1b9165581a70b37644-8" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-8"></a><span class="k">if</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$RESULT</span><span class="w"> </span>-gt<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-9" name="rest_code_f3b11e5e28144f1b9165581a70b37644-9" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-9"></a><span class="o">{</span>%<span class="w"> </span><span class="k">for</span><span class="w"> </span>service<span class="w"> </span><span class="k">in</span><span class="w"> </span>data.reload<span class="w"> </span>%<span class="o">}</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-10" name="rest_code_f3b11e5e28144f1b9165581a70b37644-10" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-10"></a><span class="w"> </span>systemctl<span class="w"> </span>reload<span class="w"> </span><span class="o">{{</span><span class="w"> </span>service<span class="w"> </span><span class="o">}}</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-11" name="rest_code_f3b11e5e28144f1b9165581a70b37644-11" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-11"></a><span class="o">{</span>%<span class="w"> </span>endfor<span class="w"> </span>%<span class="o">}</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-12" name="rest_code_f3b11e5e28144f1b9165581a70b37644-12" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-12"></a><span class="k">elif</span><span class="w"> </span><span class="o">[</span><span class="w"> </span><span class="nv">$RESULT</span><span class="w"> </span>-lt<span class="w"> </span><span class="m">0</span><span class="w"> </span><span class="o">]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-13" name="rest_code_f3b11e5e28144f1b9165581a70b37644-13" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-13"></a><span class="w"> </span><span class="nv">RC</span><span class="o">=</span><span class="m">1</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-14" name="rest_code_f3b11e5e28144f1b9165581a70b37644-14" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-14"></a><span class="k">fi</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-15" name="rest_code_f3b11e5e28144f1b9165581a70b37644-15" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-15"></a><span class="o">{</span>%<span class="w"> </span>endfor<span class="w"> </span>%<span class="o">}</span>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-16" name="rest_code_f3b11e5e28144f1b9165581a70b37644-16" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-16"></a>
<a id="rest_code_f3b11e5e28144f1b9165581a70b37644-17" name="rest_code_f3b11e5e28144f1b9165581a70b37644-17" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_f3b11e5e28144f1b9165581a70b37644-17"></a><span class="nb">exit</span><span class="w"> </span><span class="nv">$RC</span>
</pre></div>
<p>the template for the configuration <a class="reference external" href="https://en.wikipedia.org/wiki/YAML">yaml</a> files:</p>
<div class="code"><pre class="code yaml+jinja"><a id="rest_code_458190e915134366a6cc0a30345cd21d-1" name="rest_code_458190e915134366a6cc0a30345cd21d-1" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-1"></a><span class="nt">make_backups</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">True</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-2" name="rest_code_458190e915134366a6cc0a30345cd21d-2" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-2"></a>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-3" name="rest_code_458190e915134366a6cc0a30345cd21d-3" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-3"></a><span class="nt">minimum_validity</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">3d</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-4" name="rest_code_458190e915134366a6cc0a30345cd21d-4" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-4"></a><span class="nt">minimum_validity_percentage</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">42.8</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-5" name="rest_code_458190e915134366a6cc0a30345cd21d-5" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-5"></a>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-6" name="rest_code_458190e915134366a6cc0a30345cd21d-6" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-6"></a><span class="nt">ocsp_folder</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/www/ocsp/responses</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-7" name="rest_code_458190e915134366a6cc0a30345cd21d-7" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-7"></a><span class="nt">output_log</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/www/ocsp/logs/</span><span class="cp">{{</span> <span class="nv">item.key</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">-{year}{month}{day}-{hour}{minute}{second}.log</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-8" name="rest_code_458190e915134366a6cc0a30345cd21d-8" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-8"></a>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-9" name="rest_code_458190e915134366a6cc0a30345cd21d-9" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-9"></a><span class="nt">domains</span><span class="p">:</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-10" name="rest_code_458190e915134366a6cc0a30345cd21d-10" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-10"></a><span class="cp">{%</span> <span class="k">for</span> <span class="nv">domain</span> <span class="k">in</span> <span class="nv">item.value.domains</span><span class="o">|</span><span class="nf">sort</span> <span class="cp">%}</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-11" name="rest_code_458190e915134366a6cc0a30345cd21d-11" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-11"></a><span class="w"> </span><span class="cp">{{</span> <span class="nv">domain</span> <span class="cp">}}</span><span class="p p-Indicator">:</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-12" name="rest_code_458190e915134366a6cc0a30345cd21d-12" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-12"></a><span class="w"> </span><span class="nt">cert</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/www/certs/</span><span class="cp">{{</span> <span class="nv">domain</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">.pem</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-13" name="rest_code_458190e915134366a6cc0a30345cd21d-13" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-13"></a><span class="w"> </span><span class="nt">chain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/www/certs/</span><span class="cp">{{</span> <span class="nv">domain</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">-chain.pem</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-14" name="rest_code_458190e915134366a6cc0a30345cd21d-14" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-14"></a><span class="w"> </span><span class="nt">rootchain</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/www/certs/</span><span class="cp">{{</span> <span class="nv">domain</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">-rootchain.pem</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-15" name="rest_code_458190e915134366a6cc0a30345cd21d-15" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-15"></a><span class="w"> </span><span class="nt">ocsp</span><span class="p">:</span><span class="w"> </span><span class="cp">{{</span> <span class="nv">domain</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">.ocsp-resp</span>
<a id="rest_code_458190e915134366a6cc0a30345cd21d-16" name="rest_code_458190e915134366a6cc0a30345cd21d-16" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_458190e915134366a6cc0a30345cd21d-16"></a><span class="cp">{%</span> <span class="k">endfor</span> <span class="cp">%}</span>
</pre></div>
<p>the certificates are copied with the following ansible tasks:</p>
<div class="code"><pre class="code yaml+jinja"><a id="rest_code_775db931a9f949b7b03001a74d1fddfc-1" name="rest_code_775db931a9f949b7b03001a74d1fddfc-1" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-1"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">copy private keys</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-2" name="rest_code_775db931a9f949b7b03001a74d1fddfc-2" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-2"></a><span class="w"> </span><span class="nt">copy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">src=keys/</span><span class="cp">{{</span> <span class="nv">item.1</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">.key dest=/var/www/keys/</span><span class="cp">{{</span> <span class="nv">item.1</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain">.key owner=</span><span class="cp">{{</span> <span class="nv">item.0.value.key_owner</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain"> group=</span><span class="cp">{{</span> <span class="nv">item.0.value.key_group</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain"> mode=</span><span class="cp">{{</span> <span class="nv">item.0.value.key_mode</span> <span class="cp">}}</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-3" name="rest_code_775db931a9f949b7b03001a74d1fddfc-3" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-3"></a><span class="w"> </span><span class="nt">with_dependent</span><span class="p">:</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-4" name="rest_code_775db931a9f949b7b03001a74d1fddfc-4" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-4"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"certificates"</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-5" name="rest_code_775db931a9f949b7b03001a74d1fddfc-5" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-5"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"item.0.value.domains"</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-6" name="rest_code_775db931a9f949b7b03001a74d1fddfc-6" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-6"></a><span class="w"> </span><span class="nt">notify</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">update OCSP responses</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-7" name="rest_code_775db931a9f949b7b03001a74d1fddfc-7" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-7"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">copy certificates</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-8" name="rest_code_775db931a9f949b7b03001a74d1fddfc-8" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-8"></a><span class="w"> </span><span class="nt">copy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">src=keys/</span><span class="cp">{{</span> <span class="nv">item.1</span> <span class="cp">}}{{</span> <span class="nv">item.2</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain"> dest=/var/www/certs/</span><span class="cp">{{</span> <span class="nv">item.1</span> <span class="cp">}}{{</span> <span class="nv">item.2</span> <span class="cp">}}</span><span class="l l-Scalar l-Scalar-Plain"> owner=root group=root mode=0444</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-9" name="rest_code_775db931a9f949b7b03001a74d1fddfc-9" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-9"></a><span class="w"> </span><span class="nt">with_dependent</span><span class="p">:</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-10" name="rest_code_775db931a9f949b7b03001a74d1fddfc-10" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-10"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"certificates"</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-11" name="rest_code_775db931a9f949b7b03001a74d1fddfc-11" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-11"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">"item.0.value.domains"</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-12" name="rest_code_775db931a9f949b7b03001a74d1fddfc-12" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-12"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="s">'["-rootchain.pem",</span><span class="nv"> </span><span class="s">"-fullchain.pem",</span><span class="nv"> </span><span class="s">"-chain.pem",</span><span class="nv"> </span><span class="s">".pem"]'</span>
<a id="rest_code_775db931a9f949b7b03001a74d1fddfc-13" name="rest_code_775db931a9f949b7b03001a74d1fddfc-13" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_775db931a9f949b7b03001a74d1fddfc-13"></a><span class="w"> </span><span class="nt">notify</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">update OCSP responses</span>
</pre></div>
<p>(here, the <a class="reference external" href="https://github.com/felixfontein/ansible-dependentloop">dependent loop lookup plugin</a> is used.)</p>
<p>the handler <code class="docutils literal">update OCSP responses</code> is defined as follows:</p>
<div class="code"><pre class="code yaml+jinja"><a id="rest_code_9be73e5b0e99485d9120c0179900224a-1" name="rest_code_9be73e5b0e99485d9120c0179900224a-1" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-1"></a><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">update OCSP responses</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-2" name="rest_code_9be73e5b0e99485d9120c0179900224a-2" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-2"></a><span class="w"> </span><span class="nt">command</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/var/www/ocsp/ocspbot.sh</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-3" name="rest_code_9be73e5b0e99485d9120c0179900224a-3" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-3"></a><span class="w"> </span><span class="nt">register</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-4" name="rest_code_9be73e5b0e99485d9120c0179900224a-4" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-4"></a><span class="w"> </span><span class="nt">failed_when</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">result.rc != 0</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-5" name="rest_code_9be73e5b0e99485d9120c0179900224a-5" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-5"></a><span class="w"> </span><span class="nt">notify</span><span class="p">:</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-6" name="rest_code_9be73e5b0e99485d9120c0179900224a-6" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-6"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">reload nginx</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-7" name="rest_code_9be73e5b0e99485d9120c0179900224a-7" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-7"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">reload exim</span>
<a id="rest_code_9be73e5b0e99485d9120c0179900224a-8" name="rest_code_9be73e5b0e99485d9120c0179900224a-8" href="https://spielwiese.fontein.de/2017/04/23/ocsp-stapling/#rest_code_9be73e5b0e99485d9120c0179900224a-8"></a><span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">reload dovecot</span>
</pre></div>
<p>i'm using this setup for some weeks now, and it seems to work fine. so far, i'm not using ocsp must-staple certificates (except for some test subdomains). if everything seems to be fine for some time, i'll switch to ocsp must-staple certificates.</p>
</section>let's encrypt!https://spielwiese.fontein.de/2015/12/06/lets-encrypt/2015-12-06T15:47:00+01:002015-12-06T15:47:00+01:00felix<p>three days ago, <a href="https://letsencrypt.org/">let’s encrypt</a> started their <a href="https://letsencrypt.org/2015/12/03/entering-public-beta.html">public beta</a>. for those of you who don’t know: let’s encrypt is a <a href="https://en.wikipedia.org/wiki/Certificate_authority">certificate authority</a> issuing free certificates for protecting <a href="https://en.wikipedia.org/wiki/HTTPS">https</a> connections.</p>
<p>this is awesome!</p>
<p>for one, this allows me to get some “real” certificates (as opposed to my <a href="https://en.wikipedia.org/wiki/Self-signed_certificate">self-signed ones</a>) without paying a larger sum of money per year (i’m using quite many subdomains of fontein.de and two other domains, which results in quite some sum even when using cheap resellers of resellers of resellers).</p>
<p>then, their goal is to automate the whole process as much as possible. so instead of a lof of manual work (mostly filling out forms, handling payment of fees, reacting to emails or domain challenge requests, etc.) it should be possible to run one command, maybe even as a <a href="https://en.wikipedia.org/wiki/Cronjob">cronjob</a>, to get a (renewed) certificate for a domain or a set of domains.</p>
<p>on thursday, when the beta officially started, i tried out the <a href="https://github.com/letsencrypt/letsencrypt">official client</a>. as mentioned already by lots of others, it has some serious downside: it is a huge python program which needs to be run as root. (not necessarily on the webserver, though, even though in that case you cannot automate stuff anymore.) but there were already alternatives: a static <a href="https://gethttpsforfree.com/">website</a> telling you what to do and doing some calculations in javascript, or a <a href="https://github.com/diafygi/acme-tiny">tiny python client</a>. (both are by <a href="https://github.com/diafygi/">daniel roesler</a>.)</p>
<p>that’s already much better, but still not what i want, as this is hard to automate when you don’t want to run that on the webserver itself. i’m prefering something which can run somewhere else, and can be integrated in an orchestration tool like <a href="https://github.com/ansible/ansible">ansible</a>. well, so i took daniel roesler’s code (including a python 3 patch by <a href="https://github.com/collinanderson/">collin anderson</a>) and converted it into a more modular tool, which allows to split up the process so that with some more scripting, it can easily be used to do the process from remote. you can find the result <a href="https://github.com/felixfontein/acme-compact">on github</a>. i also created an ansible role which allows to simply generate keys, certificate signing requests and get complete certificates from let’s encrypt with ansible; that project can also be found <a href="https://github.com/felixfontein/letsencrypt-ansible">on github</a>. i’m using it in production for my personal webserver: as a result you can now look at spielwiese without having to accept my self-signed certificate! maybe also others will find this useful.</p>setting up high security tls.https://spielwiese.fontein.de/2015/03/01/setting-up-high-security-tls/2015-03-01T13:35:00+01:002015-03-01T13:35:00+01:00felix<p>this weekend, i spend a bit of time pimping my <a href="https://en.wikipedia.org/wiki/Nginx">nginx</a> <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security">tls</a>/<a href="https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0.2C_2.0_and_3.0">ssl</a> configuration for <a href="https://en.wikipedia.org/wiki/HTTPS">https</a>. my goal was to achieve much better on the <a href="https://www.ssllabs.com/">ssl labs</a> <a href="https://www.ssllabs.com/ssltest/index.html">ssl server test</a>. well, my top score will never exceed <code>T</code> due to my self-signed certificate, but fortunately it also shows the top score ignoring trust issues. and there, i finally got an <code>A</code>!</p>
<p>of course, there’s always a downside. since certain older clients are incapable of dealing with modern ciphers and protocols (like <a href="https://en.wikipedia.org/wiki/TLS_1.2#TLS_1.2">tls 1.2</a>), you either have to support cipher/hash/… combinations which aren’t exactly secure, or drop support for these clients. if you want a good score from the ssl server test, you have to drop support for some clients.</p>
<p>in my case (and after doing quite some experiments), i decided to drop support for:</p>
<ul>
<li>android 2.3.7 (and similar): no 256 bit ciphers, and no support of tls 1.1 or higher;</li>
<li>internet explorer 6 and 8 under windows xp: not even tls 1.0 (ie 6), or no tls 1.1 or higher (ie 8), and no 256 bit ciphers;</li>
<li>all kind of javas (java 6u45, 7u25, 8b132): while java 8 finally supports tls 1.2 (the others only up to tls 1.0), there are no 256 bit ciphers.</li>
</ul>
<p>all other clients tested on the ssl server test have no problem connecting with my config, and all result in 256 bit ciphers with <a href="https://en.wikipedia.org/wiki/Forward_secrecy">forward secrecy</a>.</p>
<p>the total result is 100% for key exchange and ciphers, and 95% for protocol support (i guess supporting tls 1.0 is the problem, but that’s needed for quite some clients). you can see the result <a href="https://www.ssllabs.com/ssltest/analyze.html?d=spielwiese.fontein.de&hideResults=on">here</a>. i probably would have gotten 100% for the certificate, too, if it would not have been self-signed (by my own ca), but by something “trustworthy”.</p>
<p>to achieve this, i used 4096 bit <a href="https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29">rsa</a> keys and a 4096 bit <a href="https://en.wikipedia.org/wiki/Diffie-Hellman">dh</a> setting. generating the server certificate (with the rsa keys) is pretty standard, but what i haven’t seen very often is the diffie-hellman key exchange parameters generation (in fact, i’ve first seen it <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#DHE_handshake_and_dhparam">here</a>):<br>
</p><div class="code-bash"><pre class="code literal-block"><span></span><span class="linenos">1</span>openssl<span class="w"> </span>genpkey<span class="w"> </span>-genparam<span class="w"> </span>-algorithm<span class="w"> </span>DH<span class="w"> </span>-out<span class="w"> </span>dhparam.pem<span class="w"> </span>-pkeyopt<span class="w"> </span>dh_paramgen_prime_len:4096
</pre></div><br>
this generates a diffie-hellman setup with a 4096 bit prime. a smaller prime is fine for most scenarios, but if you’re paranoid enough, 4096 bits is a good start :-) note that the prime bitlength has a direct impact on the server (and client) load when a new tls/ssl connection with forward secrecy is initiated. the longer the prime is, the slower this will be. (the handshake is superlinear in the number of bits, and probably closer to quadratic than to the complexity-theoretic optimum of <i>O</i>(n<sup>1+<i>ɛ</i></sup>) for every <i>ɛ</i> > 0.) for more modern clients, though, an <a href="https://en.wikipedia.org/wiki/Elliptic_curve_cryptography">elliptic curve</a> based setting will be used, which is much more efficient since it uses way smaller <a href="https://en.wikipedia.org/wiki/Finite_field">finite fields</a>.
<p>anyway, here’s the config:<br>
</p><div class="code-unformatted"><pre class="code literal-block"><span></span><span class="linenos">1</span>ssl_session_cache shared:SSL:5m;
<span class="linenos">2</span>ssl_session_timeout 5m;
<span class="linenos">3</span>
<span class="linenos">4</span>ssl_dhparam /etc/nginx/dhparam.pem;
<span class="linenos">5</span>
<span class="linenos">6</span>ssl_protocols TLSv1.2 TLSv1;
<span class="linenos">7</span>ssl_prefer_server_ciphers on;
<span class="linenos">8</span>ssl_ciphers "-ALL !ADH !aNULL !EXP !EXPORT40 !EXPORT56 !RC4 !3DES !eNULL !NULL !DES !MD5 !LOW ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA";
</pre></div>
<p>this leads to the following list of ciphers:<br>
</p><div class="code-unformatted"><pre class="code literal-block"><span></span><span class="linenos">1</span>prio ciphersuite protocols pfs_keysize
<span class="linenos">2</span>1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
<span class="linenos">3</span>2 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,4096bits
<span class="linenos">4</span>3 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
<span class="linenos">5</span>4 DHE-RSA-AES256-SHA256 TLSv1.2 DH,4096bits
<span class="linenos">6</span>5 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.2 ECDH,P-256,256bits
<span class="linenos">7</span>6 DHE-RSA-AES256-SHA TLSv1,TLSv1.2 DH,4096bits
</pre></div><br>
(courtsey to <a href="https://github.com/jvehent/cipherscan">cipherscan</a>.)
<p>i’d like to also use <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#HSTS:_HTTP_Strict_Transport_Security">http strict transport security</a>, but that won’t work well if you have a self-signed certificate, thanks to its specifications (see point #2 <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security#HSTS_mechanism_overview">here</a>). also, <a href="https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling">ocsp stapling</a> makes no sense with a self-signed certificate and without a proper ca. finally, i’d like to use <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning">public key pinning</a> in the future, but that’s rather experimental at the moment.</p>
<p>one thing i’m missing quite badly is proper elliptic curve support. with that i mean good (non-nist) curves, like the ones listed as “safe” on <a href="http://safecurves.cr.yp.to/">this page</a>, especially the higher security ones (like curve41417, ed448-goldilocks, m-511 and m-521). unfortunately, i’m afraid it will take a long time until we can use them with tls, not only because they first have to get into a standard, but then the standard has to be implemented by clients and enough clients must be able to use it. consider for example tls 1.2, which was defined in august 2008. while finally all current browsers support it (that hasn’t been the case a couple of years ago, similar to tls 1.1 which has been around since april 2006), it took quite some time, and there are still a lot of older browsers out there which don’t support it. just consider many smartphones produced in the last years with android 4.3 an older (which includes my fairphone), which have only tls 1.0 support. or safari 6 included with osx 10.8, openssl 0.9.8, internet explorer mobile on windows phone 8.0, internet explorer up to version 10, and quite some search machine bots.</p>
<p>note that in my above config, the elliptic curve used for diffie-hellman is p-256, a <a href="https://en.wikipedia.org/wiki/NIST">nist</a> curve. it’s one of these <a href="https://en.wikipedia.org/wiki/NSA">nsa</a> generated curves, and it’s not exactly optimal (search for p-256 <a href="http://safecurves.cr.yp.to/">here</a>). unfortunately, with current tls, there’s not much you can do about this… too bad.</p>a man-in-the-middle attack.https://spielwiese.fontein.de/2012/07/18/a-man-in-the-middle-attack/2012-07-18T10:17:39+02:002012-07-18T10:17:39+02:00felix<p>over the weekend, i almost became a victim of a <a href="https://en.wikipedia.org/wiki/Man-in-the-middle_attack">man-in-the-middle attack</a>. while staying in <a href="https://spielwiese.fontein.de/tag/castro-urdiales/">castro urdiales</a>, i changed into a different hotel on friday. the hotel had free (password protected) wireless internet, as many hotels do have. what was different to other hotels was what happened when i wanted to check my emails via <a href="https://en.wikipedia.org/wiki/IMAPS#E-mail_protocols">imaps</a>, i.e. imap over <a href="https://en.wikipedia.org/wiki/Secure_Sockets_Layer">ssl</a>, which means that my communication with my email servers are encrypted. my email program informed me that the cerficiates changed and asked me whether i want to store the new <a href="https://en.wikipedia.org/wiki/Public_key_certificate">certificate</a>. this happened for both imap servers i’m using, namely my own and the one of my <a href="http://www.math.uzh.ch/">institute</a>. i was somewhat surprised – sometimes the institute’s server gets a new certificate, but my own server? without me, the admin, doing anything? i checked the certificates, to find out that essentially nothing changed, <b>except</b> the (<a href="https://en.wikipedia.org/wiki/RSA_%28algorithm%29">rsa</a>) <a href="https://en.wikipedia.org/wiki/Public_key">public key</a>, and that the signer changed to “FortiGate CA”. <i>fortigate</i> is the flagship product of an american company called <a href="https://en.wikipedia.org/wiki/Fortinet">fortinet</a>; this is apparently (related to) secure wireless (wlan) equipment.<br>
part of their software/hardware seems to be something which tries to scan email. scanning unencrypted email communication (via smtp, pop3, imap, …) is easy – as there is no encryption. but they also try to check encrypted communications with email servers. for that, they have to break or circumvent encryption. the easiest way to do that is a man-in-the-middle attack: send traffic through a <a href="https://en.wikipedia.org/wiki/Proxy_server">proxy</a>, and in case someone wants to connect to a imaps server (identified by access to port number 993, i assume), act as if you are the imaps server, send a faked certificate including your own public key, so that the user is transmitting its data to you. then connect to the “real” imaps server and forward the data to it. works pretty well. except that suddenly, you, the client, gets presented with a different public key. if you (more precisely: your email software) stored the certificate (which includes the public key) and compares the certificate it obtains from the proxy (thinking it is the email server) with the stored one, it will note that something changed. and it will hopefully complain to you, the user, and ask you what to do. ask you whether the new certificate is acceptable or not.<br>
if you accept the new certificate, or the software you’re using does it for you (guess that’s “user friendly”, so you don’t have to care about stuff like certificates), the proxy server will read <b>all your communication</b> with the imaps server. some combinations of servers and clients will even ensure that your password is send plaintext (assuming the ssl encryption between client and server), which means that in this case, the proxy server knows your email password. in case the proxy server is used in a malicious way, someone can steal or abuse your data. (especially as passwords are often used for different accounts). more importantly, once the connection is open and you authenticated to the email server, the proxy server can use the open connection to do anything it likes with your email account – it can access all emails stored on your account on that server.<br>
i assume (hope?) that the fortigate software/hardware is not doing this. but anyway, such behavior is very, <i>very</i> bad. (and it opens the question what else is analyzed by the proxy. maybe all your http connections? https seems to be unaffected, as the certificates there were still fine, at least in my case.) luckily, i was able to circumvent this by using the <a href="https://en.wikipedia.org/wiki/VPN">vpn</a> of my university. but not everyone has access to a vpn, or knows how to use that. (and another thing which made me worry is that i don’t have a certificate for my vpn server. so in theory the proxy could also try a man-in-the-middle attack here, and circumvent my use of the vpn. but apparently they don’t, or at least not so easily: when i used the vpn, the email servers returned their “correct” certificates.<br>
well. so what’s the morale of this story? certificates are important! be vigilant when using unknown networks, such as hotel wlans, and use vpn in case you don’t trust it. and use software which correctly checks certificates! and in case you get a warning that a certificate changed, be alert! don’t just click on “accept new certificate” to make your life easier!</p>