updated ssl

files/config/conf.d/ssl.conf

@@ -1,9 +1,10 @@
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
 
 # intermediate configuration. tweak to your needs.
-ssl_protocols TLSv1  TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA';
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
 ssl_prefer_server_ciphers on;
 
 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
@@ -12,5 +13,5 @@ proxy_hide_header Strict-Transport-Security;
 
 # OCSP Stapling ---
 # fetch OCSP records from URL in ssl_certificate and cache them
-ssl_stapling on;
+#ssl_stapling on;
-ssl_stapling_verify on;
+#ssl_stapling_verify on;

templates/ssl_files.j2

@@ -2,7 +2,7 @@
 ssl_certificate /etc/ssl/{{ inventory_hostname }}.crt;
 ssl_certificate_key /etc/ssl/private/{{ inventory_hostname }}.key;
 ## verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /etc/ssl/{{ inventory_hostname }}.crt;
+ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 ssl_dhparam /etc/ssl/dhparams.pem;