Skip to content

nginx: use fullchain.pem for ssl_trusted_certificate #60081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 3, 2019
Merged

nginx: use fullchain.pem for ssl_trusted_certificate #60081

merged 1 commit into from
May 3, 2019
+2 −2

Conversation

9ary
Copy link
Contributor

@9ary 9ary commented Apr 23, 2019

Motivation for this change

Some ACME clients (such as the OpenBSD client) do not generate full.pem, which is the same as fullchain.pem + the certificate key (key.pem), which is not necessary for verifying OCSP staples.
See also #53493.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nix-review --run "nix-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

I haven't tested this PR, but I think it is trivial enough not to break anything. I have a production system where full.pem is a symlink to fullchain.pem to work around its absence.

Sorry, something went wrong.

@9ary
nginx: use fullchain.pem for ssl_trusted_certificate

Verified

This commit was signed with the committer’s verified signature. The key has expired.
WilliButz
GPG key ID: 92582A10F1179CB2
Expired
Verified
Learn about vigilant mode
Loading
Loading status checks…
83c9b6e 
Some ACME clients do not generate full.pem, which is the same as
fullchain.pem + the certificate key (key.pem), which is not necessary
for verifying OCSP staples.
@9ary 9ary requested a review from infinisil as a code owner April 23, 2019 09:45
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux labels Apr 23, 2019
@arianvp
Copy link
Member

arianvp commented Apr 24, 2019

@GrahamcOfBorg test acme

@infinisil infinisil merged commit be1ada3 into NixOS:master May 3, 2019
@Janik-Haag Janik-Haag added the 12. first-time contribution This PR is the author's first one; please be gentle! label Jun 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@infinisil infinisil

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux 12. first-time contribution This PR is the author's first one; please be gentle!
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@9ary @arianvp @infinisil @Janik-Haag