OCSP & nginx Settings ~~~~~~~~~~~~~~~~~~~~~ Configure OCSP Stapling and configure certain nginx settings. :: Sets the maximum allowed size of the client request body. If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Please be aware that browsers cannot correctly display this error. Setting size to 0 disables checking of client request body size. NB: This is set to 128M in StoredSafe for good reasons. Do not change it, unless told so by StoredSafe support (support@storedsafe.com) staff. client_max_body_size: 128M Change settings? (y/): OCSP stapling allows the certificate presenter (i.e. web server) to query the OCSP responder directly and then cache the response. OCSP stapling addresses a privacy concern with OCSP because the CA no longer receives the revocation requests directly from the client (browser). OCSP stapling also addresses concerns about OCSP SSL negotiation delays by removing the need for a separate network connection to a CA’s responders. NB: Enabling OCSP Stapling requires the StoredSafe instance to be able to query a resolver on port 53 (UDP and TCP) to resolve the IP address of the OCSP responder, and need to reach the external OCSP responder on port 80 TCP. (Proxy NOT supported) OCSP Stapling: DISABLED Enable OCSP Stapling on this node? (/n): Install a new Trusted CA chain? (/n): For verification to work, the certificate of the server certificate issuer, the root certificate, and all intermediate certificates should be configured as trusted using the ssl_trusted_certificate directive. Search the directory "/isodevice/var/transfer" for files? (Press No for USB) (/n): Using the directory "/isodevice/var/transfer". Available files in /isodevice/var/transfer: ocsp-ca.pem Which file has the Trusted CA chain? (Q to Quit) : ocsp-ca.pem Issuers in the CA chain (/isodevice/var/transfer/ocsp-ca.pem): subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 subject=O = Digital Signature Trust Co., CN = DST Root CA X3 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 Install the new CA Chain for OCSP validation? (/n): Backup "/isodevice/persistent/etc/nginx/ssl/storedsafe-ocsp-ca.pem" as "/isodevice/persistent/etc/nginx/ssl/storedsafe-ocsp-ca.pem.old"? (/n): New CA Chain for OCSP Stapling validation installed successfully. DNS Resolver #0 (. to end input, Q to quit) <192.168.12.8>: DNS Resolver #1 (. to end input, Q to quit) <.>: . Save settings? (y/): y Restart nginx to activate the new settings? (/n): (Press any key to continue) If OCSP stapling is already enabled the current configuration is shown. :: OCSP Stapling: ENABLED Resolver: 192.168.12.8 Issuers in the CA chain (/isodevice/persistent/etc/nginx/ssl/storedsafe-ocsp-ca.pem): subject=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 subject=O = Digital Signature Trust Co., CN = DST Root CA X3 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 Check status of OCSP Stapling on this node? (/n): OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = R3 Produced At: May 2 23:41:00 2023 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 48DAC9A0FB2BD32D4FF0DE68D2F567B735F9B3C4 Issuer Key Hash: 142EB317B75856CBAE500940E61FAF9D8B14C2C6 Serial Number: 035CA8DBDB9941D10EDDBB93F0DEB1EEDDCE Cert Status: good This Update: May 2 23:00:00 2023 GMT Next Update: May 9 22:59:58 2023 GMT Disable OCSP Stapling on this node? (y/): Change settings? (y/):