From a2f4e1d8fe70d02877472bc0b705cbfa702996d5 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Sun, 4 May 2025 21:43:29 -0400
Subject: [PATCH] handle Let's Encrypt removing OCSP support

We can no longer use OCSP stapling and Must-Staple. These will soon be
obsolete once the `shortlived` profile is available for public use since
it will provide certificates with a similar lifetime as OCSP responses.

In the meantime, we've moved to the `tlsserver` profile stripping legacy
features to prepare for the `shortlived` profile which will be identical
to `tlsserver` but with a validity period of 6 days.
---
 nginx/nginx.conf | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 41bf02e..d3ed380 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -66,11 +66,6 @@ http {
     ssl_session_timeout 1d;
     ssl_buffer_size 4k;
 
-    ssl_trusted_certificate /etc/letsencrypt/live/matrix.grapheneos.org/chain.pem;
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/matrix.grapheneos.org.der;
-
     log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol '
         '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
         '$request_time $upstream_connect_time/$upstream_header_time/$upstream_response_time '