From f53590f664c6a85a40f2eab43474b522d71de310 Mon Sep 17 00:00:00 2001 From: Arjan H Date: Sat, 20 Aug 2022 10:45:23 +0200 Subject: [PATCH] Set CRL lifespan and update periode to more appropriate values --- gui/apply-boulder | 5 +++-- patches/config_crl-updater.patch | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/gui/apply-boulder b/gui/apply-boulder index a996011..2ba7f78 100755 --- a/gui/apply-boulder +++ b/gui/apply-boulder @@ -64,8 +64,9 @@ if [ "$PKI_DOMAIN_MODE" == "lockdown" ] || [ "$PKI_DOMAIN_MODE" == "whitelist" ] cat rate-limit-policies.yml | tr '\n' '\r' | sed -e "s|\(certificatesPerFQDNSet:.*must-staple.le.wtf: 10000\).*\(certificatesPerFQDNSetFast:.*\)|\1\n${REPLACEMENT}rateLimitsURL: http://$PKI_FQDN/rate-limits\n\2|" | tr '\r' '\n' > rate-limit-policies.yml.bak && mv rate-limit-policies.yml.bak rate-limit-policies.yml fi -perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"2h\",\2\3/igs" config/ca-a.json -perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"2h\",\2\3/igs" config/ca-b.json +perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"96h\",\2\3/igs" config/ca-a.json +perl -i -p0e "s/(\"maxNames\": [^\n]*).*?(\s+)(\"lifespanOCSP\":)/\1\2\"lifespanCRL\": \"96h\",\2\3/igs" config/ca-b.json +sed -i -e "s/\"ocspMinTimeToExpiry\": \".*\"/\"ocspMinTimeToExpiry\": \"48h\"/" config/ocsp-updater.json sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-a.json sed -i -e "s|\"issuerURL\": \".*\"|\"issuerURL\": \"http://$PKI_FQDN/aia/issuer/$PKI_ISSUER_NAME_ID\"|" config/ca-b.json diff --git a/patches/config_crl-updater.patch b/patches/config_crl-updater.patch index e8d3bc0..dbfb5ff 100644 --- a/patches/config_crl-updater.patch +++ b/patches/config_crl-updater.patch @@ -22,8 +22,8 @@ index 875fc7ab..9c0ea6ed 100644 - "updatePeriod": "6h", - "updateOffset": "9120s", - "maxParallelism": 10 -+ "updatePeriod": "1h", -+ "updateOffset": "120s", ++ "updatePeriod": "24h", ++ "updateOffset": "62m", + "maxParallelism": 1 },