This is a short follow-up article to the NAS TLS certificate replacement one I wrote a few months back. Since then I have set up monitoring of the TLS certificates I’ve deployed.
Yesterday was the day that the TLS certificate of my Synology NAS expired. And since I have no monitoring to alert me, I only found out today. The bad news: HSTS was also enabled so my browser did not want to connect, even though I told it to ignore the invalid certificate. The good news: the SSH service was enabled. This allowed me to fix this situation via the command line interface (CLI).
The Heartbleed bug triggered a review of the configuration of my own web server. As a result I discovered that I had my Online Certificate Status Protocol (OCSP) stapling configured wrong. In this article I will briefly explain OCSP and OCSP stapling, what I had done wrong and what is a—as far as I know now—right way to implement OCSP stapling in Nginx.
Since April 2012 we are using Whiskers to store information about our Plone and Django buildouts. But when I moved the setup behind SSL, the browser started to complain about unsafe content.