jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

reverseproxy: remove OCSP support

Browse Source 
OCSP is getting deprecated in favor CRLs. Lets Encrypt has already
removed the OCSP URL in the certs and the OCSP validation server
is being decommissioned .

https://letsencrypt.org/2024/12/05/ending-ocsp/
This commit is contained in:
Girish Ramakrishnan
2025-09-04 09:41:46 +02:00
parent 8c0b88d69a
commit ac7001b96e
4 changed files with 1 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
src/reverseproxy.js
View File

@@ -91,22 +91,6 @@ async function getCertificateDates(cert) {
return { startDate: notBeforeDate, endDate: notAfterDate };
}
async function getReverseProxyConfig() {
const value = await settings.getJson(settings.REVERSE_PROXY_CONFIG_KEY);
return value || { ocsp: true };
}
async function isOcspEnabled(certFilePath) {
// on some servers, OCSP does not work. see #796
const config = await getReverseProxyConfig();
if (!config.ocsp) return false;
// We used to check for the must-staple in the cert using openssl x509 -text -noout -in ${certFilePath} | grep -q status_request
// however, we cannot set the must-staple because first request to nginx fails because of it's OCSP caching behavior
const [error, result] = await safe(shell.spawn('openssl', ['x509', '-in', certFilePath, '-noout', '-ocsp_uri'], { encoding: 'utf8' }));
return !error && result.length > 0; // no error and has uri
}
// checks if the certificate matches the options provided by user (like wildcard, le-staging etc)
async function providerMatches(domainObject, cert) {
assert.strictEqual(typeof domainObject, 'object');
@@ -457,7 +441,6 @@ async function writeDashboardNginxConfig(vhost, certificatePath) {
keyFilePath: certificatePath.keyFilePath,
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') },
ocsp: await isOcspEnabled(certificatePath.certFilePath),
hstsPreload: false
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
@@ -516,7 +499,6 @@ async function writeAppLocationNginxConfig(app, location, certificatePath) {
hideHeaders: [],
proxyAuth: { enabled: false },
upstreamUri: '', // only for endpoint === external
ocsp: await isOcspEnabled(certificatePath.certFilePath),
hstsPreload: !!app.reverseProxyConfig?.hstsPreload
};
@@ -751,7 +733,6 @@ async function writeDefaultConfig(options) {
keyFilePath,
robotsTxtQuoted: JSON.stringify('User-agent: *\nDisallow: /\n'),
proxyAuth: { enabled: false, id: null, location: nginxLocation('/') },
ocsp: false, // self-signed cert
hstsPreload: false
};
const nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);