Document OCSP remap requirement#12952
Conversation
Document that ATS 10 and later fetch OCSP responses through FetchSM instead of OpenSSL. Add the remap.config requirement and a Digicert mapping example to the OCSP stapling admin guide section so operators know they must map the responder URL.
Add the ATS 10 migration note for OCSP stapling to the upgrade notes as well as the admin guide. This calls out the remap.config requirement for OCSP responder URLs so operators upgrading from ATS 9 do not miss it.
|
|
||
| Before ATS 10, OCSP fetches were handled by OpenSSL. Starting in ATS 10, | ||
| |TS| performs the OCSP fetch itself through FetchSM, so the OCSP responder URL | ||
| must also be reachable through :file:`remap.config`. For example, if the |
There was a problem hiding this comment.
Ah, good point. OK, I'll close this PR. The remap.config rules shouldn't be needed for OCSP fetch.
There was a problem hiding this comment.
Pull request overview
Documents the operational requirement for OCSP stapling in ATS 10+ where OCSP responses are fetched via FetchSM and therefore require an explicit remap.config mapping for the responder URL.
Changes:
- Added an upgrade note calling out the new OCSP responder remap requirement for ATS 10+ with a DigiCert example.
- Expanded the OCSP stapling admin guide to explain the OpenSSL → FetchSM behavior change and the required
remap.configmapping.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| doc/release-notes/upgrading.en.rst | Adds an upgrade note describing remap requirements for OCSP responder access in ATS 10+. |
| doc/admin-guide/security/index.en.rst | Documents FetchSM-based OCSP fetching in ATS 10+ and provides a remap.config example. |
You can also share your feedback on Copilot code review. Take the survey.
| Before ATS 10, OCSP fetches were handled by OpenSSL. Starting in ATS 10, | ||
| |TS| performs the OCSP fetch itself through FetchSM, so the OCSP responder URL |
There was a problem hiding this comment.
Line 338 has ||TS| (double pipe), which will render incorrectly in Sphinx and likely break the |TS| substitution. Replace it with |TS|.
| allocating iobuffers and cache volumes from hugepages if configured in the | ||
| system. | ||
| - The records.yaml entry ``proxy.config.plugin.compiler_path`` has been added to specify an optional compiler tool path for compiling plugins. | ||
| - If OCSP stapling is enabled, ATS 10 and later fetch OCSP responses through | ||
| FetchSM instead of OpenSSL. Add the OCSP responder URL from the certificate | ||
| to :file:`remap.config`. For example, a certificate that uses | ||
| ``http://ocsp.digicert.com/`` needs the following mapping: | ||
|
|
||
| .. code-block:: none | ||
|
|
||
| map http://ocsp.digicert.com/ http://ocsp.digicert.com/ | ||
|
|
||
| See :ref:`admin-ocsp-stapling` for more details. |
There was a problem hiding this comment.
This new bullet is placed under 'The following records.yaml changes have been made', but it describes a remap.config requirement (not a records.yaml change). Consider moving this note to a more appropriate upgrade subsection (e.g., SSL/OCSP, or a general 'behavior changes' section) to avoid misleading readers.
Document that ATS 10 and later fetch OCSP responses through
FetchSM instead of OpenSSL.
Add the remap.config requirement and a Digicert mapping example
to the OCSP stapling admin guide section so operators know they
must map the responder URL.