From d08a37526fc79264899eca412afa8eb2e8f274fb Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Thu, 26 Feb 2015 17:38:30 +0300
Subject: [PATCH] roles/nginx: Don't send OCSP responses for hosts using
 self-signed certs

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/nginx/templates/https.j2 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/nginx/templates/https.j2 b/roles/nginx/templates/https.j2
index 73d1faa..cbf9769 100644
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -14,10 +14,13 @@
     ssl_ciphers "{{ tls_cipher_suite }}";
     ssl_prefer_server_ciphers on;
 
+{# don't use OCSP stapling if we're using a self-signed cert #}
+{% if tls_cert is defined %}
     # OCSP stapling...
     ssl_stapling on;
     ssl_stapling_verify on;
     resolver 8.8.4.4 8.8.8.8;
+{% endif %}
 
     # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
     # when a restart is performed the previous key is lost, which resets all previous