New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[debops.pki] Nginx OCSP issue with DST Root CA X3 expiration, pki-realm script and ca-certificates package update #1860
Comments
With that single edit that you suggested to debops/ansible/roles/pki/files/usr/local/lib/pki/pki-realm, my nginx will happily restart following a run of service/nginx and service/pki. Out of interest, how is your nginx failing after the update? |
I confirm that the fix works |
I believe this has been fixed with #1881, feel free to re-open if you are still having issues. |
After updating my host's PKI realm scripts using the patched
|
You can also verify that you are not using the old cross-signed R3 CA anymore with |
Hi,
Following the depreciation of LE
DST Root CA X3
and its removal fromca-certificates
package, it looks like thepki-realm
script fails to grep the CA in /etc/ca-certificates.conf folder and thus, to create the required files for the Nginx role (/etc/pki/realms/<domain>/trusted.crt
, which is used for OCSP validation). This causes Nginx to fail afterca-certificates
has been upgraded to it's last version.The following line seems to cause the error :
debops/ansible/roles/pki/files/usr/local/lib/pki/pki-realm
Line 1171 in c24d514
Which has an hardcoded value to :
debops/ansible/roles/pki/files/usr/local/lib/pki/pki-realm
Line 192 in c24d514
It looks like that it should now be replaced by
mozilla/ISRG_Root_X1.crt
, but I don't know how to handle the full chain right now, as Nginx still complains after the update.Related discussions :
The text was updated successfully, but these errors were encountered: