self-hosted nginx : allow DNS resolution for Let's Encrypt OCSP
- /e/ version: n/a
- Device model: n/a
- Reproducible with the last /e/ version: n/a
- Reproducible with LineageOS: n/a
Summary
In self-hosted, nginx OCSP cannot occur because a lack of DNS resolver
This improvement concerns
- UI
- Behavior
- Privacy
Description
nginx container logs showing "[warn] 6#6: no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org"
What is the improved behavior?
No warning, OCSP working.
As a POC, I added a /mnt/repo-base/config-dynamic/nginx/sites-enabled/resolver.conf file, with a simple content :
resolver 127.0.0.11 ;
(127.0.0.11 is from nginx's resolv.conf file)
And, after restarting nginx, log doesn't show warnings anymore, so we can guess it's working.
What does it bring?
I won't discuss OCSP benefits, see wikipedia