jfrog
[ansible/artifactory] Enable OCSP stapling support artifactory_nginx_ssl
Is this a request for help?:
Is this a BUG REPORT or FEATURE REQUEST? (choose one): FEATURE REQUEST
Which installer: Ansible
Which product and version (eg: ansible & collection version - 7.24.2): Artifactory
Which operating system and version(eg: ubuntu & version - 20.4): All
Which product license (Enterprise/Pro): N/A
JFrog support reference (if already raised with support team):
What happened: Enable support to use OCSP Stapling in NGINX conf file (https://github.com/jfrog/JFrog-Cloud-Installers/blob/master/Ansible/ansible_collections/jfrog/platform/roles/artifactory_nginx_ssl/templates/artifactory.conf.j2)
This can be done by adding the following in the section with the other ssl parameters:
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/certs/artifactory-fullchain.crt;
For this to work you'll need to set ssl_trusted_certificate which contains the entire certificate chain.
What you expected to happen: Introduce a new variable to the playbook called ssl_certificate_fullchain. If this is set, then enable stapling as shown above. This will allow people that want stapling to set the ssl_certificate_fullchain variable.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know:
ssl_certificate is already used as the variable for the certificate (chain), so no need for ssl_trusted_certificate.
