So I am in the process of improving the configuration of about a hundred websites using server blocks listening to port 443 and using HTTP/2 and I some doubts related to OCSP stapling.
All my SSL options are in a separate file, included from each server block (but for
ssl_certificate_key, of course). Since all my TLS certificates are issued by Let's Encrypt via an Ansible playbook (using
community.crypto.acme_certificate), I was considering adding the following to these shared SSL options:
That is, sharing the
~/letsencrypt/etc/live/example.com/chain.pem file, which is the same for all my certificates (since the root and intermediate certificates used to generate such file are the same).
Is it "okay" to do so or is there some reason I am not taking into consideration that would lead me to moving the
ssl_trusted_certificatedirective out of the shared include and into each server block, where the linked file would be the
chain.pemfile generated for each certificate?
Is the ISRG Root OCSP X1 (Signed by ISRG Root X1) certificate available at the OCSP Signing Certificate section of the Chain of Trust page of Let's Encrypt a valid value for this directive, or does it have to be the
chain.pemfile generated with each certificate?
I ask this because, ideally, I would take it from that web page and deploy it while setting up my NGINX server via an Ansible playbook rather than when deploying a website (where I would just be copying the
fullchain.pem for the
ssl_certificate directive and the
privkey.pem for the
Anybody feedback would be much appreciated. Thanks in advance.
My domain is: N/A
I ran this command: N/A
It produced this output: N/A
My web server is (include version): NGINX 1.23.3
The operating system my web server runs on is: Debian 11 Bullseye
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine: Yes
I'm using a control panel to manage my site: No
The version of my client is: Ansible module