commit eb92ad740bd35c6c0b2ecfb5266b9cc623f510da
parent 8800fabca14901203230beb75f3861a80ca4b400
Author: Christian Grothoff <christian@grothoff.org>
Date: Sun, 22 Mar 2026 22:59:34 +0100
fix migration issues for #11223
Diffstat:
2 files changed, 17 insertions(+), 14 deletions(-)
diff --git a/roles/challenger/templates/etc/nginx/conf.d/challenger-tls.conf.inc b/roles/challenger/templates/etc/nginx/conf.d/challenger-tls.conf.inc
@@ -2,10 +2,3 @@
ssl_certificate /etc/letsencrypt/live/challenger/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/challenger/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/challenger/chain.pem;
-ssl_prefer_server_ciphers on;
-ssl_session_cache shared:SSL:10m;
-ssl_dhparam /etc/ssl/private/dhparam.pem;
-ssl_protocols TLSv1.3 TLSv1.2;
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-
-add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-\ No newline at end of file
diff --git a/roles/webserver/files/etc/nginx/conf.d/http2-http3.conf b/roles/webserver/files/etc/nginx/conf.d/http2-http3.conf
@@ -7,12 +7,20 @@ http3 on;
quic_retry on;
ssl_early_data on;
-ssl_prefer_server_ciphers on;
-# Note: session cache is shared across all services on this server
-ssl_session_cache shared:TLS:10m;
-ssl_dhparam /etc/ssl/private/dhparam.pem;
-ssl_protocols TLSv1.3 TLSv1.2;
-ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+
+# FIXME: comment-in later, upgrade fails if we put this immediately,
+# we need to run once without, otherwise nginx will see these
+# directives twice in different places and the setup script will fail.
+# NOTE: remove the above comment AND the commented out lines
+# below once spec has been updated once -- then update immediately
+# again!
+
+# ssl_prefer_server_ciphers on;
+## Note: session cache is shared across all services on this server
+# ssl_session_cache shared:TLS:10m;
+# ssl_dhparam /etc/ssl/private/dhparam.pem;
+# ssl_protocols TLSv1.3 TLSv1.2;
+# ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
# Dummy server because 'reuseport' must be specified, but only
# exactly once, so we use this dummy to basically only set 'reuseport'
@@ -22,4 +30,7 @@ server {
listen [::]:443 quic reuseport;
server_name _;
return 444; # drop unmatched requests silently
+
+ # We just need SOME certificate here, could use any.
+ include conf.d/challenger-tls.conf.inc;
}
\ No newline at end of file
