ts is useful as a versioning mechanism (for example, icon changed). update the timestamp explicity in code instead of db.
this way health and healthTime can be updated without changing ts.
initially, i tried to put this in the current value field but that
is TEXT and has a size limit of 64K. TEXT also stores things with
character encoding, so we have to stash it as base64
the notification wasn't working because this was in apptask and the apptask died
before it could send out the email. we now move the notification to box process
and also remove the email notification.
On first visit in firefox, must-staple certs (unlike chrome which ignores must-staple) always fail.
Investigating, it turns out, nginx does not fetch OCSP responses on reload or restart - https://trac.nginx.org/nginx/ticket/812 .
So, one has to prime the OCSP cache using curl requests. Alternately, one can use `openssl ocsp -noverify -no_nonce` and
then set `ssl_stapling_file`. Both approaches won't work if the OCSP servers are down and then we have to have some retry logic.
Also, the cache is per nginx worker, so I have no clue how many times one has to call curl. The `ssl_stapling_file` approach
requires some refresh logic as well. All very messy.
For the moment, do not set must-staple in the cert. Instead, check if the cert has a CSP URL and then enable
stapling in nginx accordingly.
can verify stapling using openssl s_client -connect hostname:443 -status
status_request is RFC6066. there is also status_request_v2 (RFC6961) but this is
not implemented even in openssl libs yet
emails will not be used for self monitoring events. these are best done
from the outside. we just log everything in eventlog and raise notifications
as well.
