Requires chain_path for nginx versions supporting OCSP stapling

--chain-path config is not mandatory, so we require this property if nginx supports OCSP stapling. Alternatively, we could disable OCSP stapling on supported nginx versions if --chain-path is missing.
2026-06-03 13:59:02 -04:00 · 2016-01-04 12:00:20 -05:00 · 2016-01-04 12:00:20 -05:00 · 74237d1010
commit 74237d1010
parent be4d56c353
2 changed files with 19 additions and 1 deletions
--- a/letsencrypt-nginx/letsencrypt_nginx/configurator.py
+++ b/letsencrypt-nginx/letsencrypt_nginx/configurator.py
@ -122,7 +122,7 @@ class NginxConfigurator(common.Plugin):

    # Entry point in main.py for installing cert
    def deploy_cert(self, domain, cert_path, key_path,
-                    chain_path, fullchain_path):
+                    chain_path=None, fullchain_path=None):
        # pylint: disable=unused-argument
        """Deploys certificate to specified virtual host.

@ -136,6 +136,9 @@ class NginxConfigurator(common.Plugin):

        .. note:: This doesn't save the config files!

+        :raises errors.PluginError: When unable to deploy certificate due to
+            a lack of directives or configuration
+
        """
        vhost = self.choose_vhost(domain)
        cert_directives = [['ssl_certificate', fullchain_path],
@ -150,6 +153,12 @@ class NginxConfigurator(common.Plugin):
                ['ssl_stapling', 'on'],
                ['ssl_stapling_verify', 'on']]

+        if len(stapling_directives) != 0 and not chain_path:
+            raise errors.PluginError(
+                "--chain-path is required to enable "
+                "Online Certificate Status Protocol (OCSP) stapling "
+                "on nginx >= 1.3.7.")
+
        try:
            self.parser.add_server_directives(vhost.filep, vhost.names,
                                              cert_directives, replace=True)
--- a/letsencrypt-nginx/letsencrypt_nginx/tests/configurator_test.py
+++ b/letsencrypt-nginx/letsencrypt_nginx/tests/configurator_test.py
@ -125,6 +125,15 @@ class NginxConfiguratorTest(util.NginxTest):
        self.assertTrue(util.contains_at_depth(generated_conf,
                                               ['ssl_trusted_certificate', 'example/chain.pem'], 2))

+    def test_deploy_cert_stapling_requires_chain_path(self):
+        self.config.version = (1, 3, 7)
+        self.assertRaises(errors.PluginError, self.config.deploy_cert,
+            "www.example.com",
+            "example/cert.pem",
+            "example/key.pem",
+            None,
+            "example/fullchain.pem")
+
    def test_deploy_cert(self):
        server_conf = self.config.parser.abs_path('server.conf')
        nginx_conf = self.config.parser.abs_path('nginx.conf')