In this release we made a couple of minor changes to our configurations on Hypernode.

Increased the server_names_hash_bucket_size to 128

The server_names_hash_bucket_size NGINX config value was increased from 64 to 128 as it was causing issues with longer domain names. For example previously trying to generate an SSL configuration for domains of a certain length could result in a configuration validation error.

~$ cat .dehydrated/domains.txt
cj8iml-vdloo-magweb-cmbl.nodes.hypernode.io
~/nginx$ cat nginx_error_output
nginx: [emerg] could not build server_names_hash
nginx: configuration file /etc/nginx/nginx.conf test failed

This issue has now been resolved.

Disabled OCSP_MUST_STAPLE in the pre-installed Let’s Encrypt client configuration

OCSP_MUST_STAPLE is now disabled by default in the dehydrated configuration. This feature was causing some issues in various versions of FireFox.

If you noticed the following warning message while using a Let’s Encrypt certificate it was probably related to this issue.

 Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

We are now testing a new configuration so that we can re-enable this feature again as the standard configuration but until then you can configure it for yourself if you want to by creating a user specific dehydrated config file like so:

cp /etc/dehydrated/config /the/working/dir/where/you/run/dehydrated/
# edit config and add the following line
OCSP_MUST_STAPLE="yes"

Take note that if you do so, future changes to that globally installed config file will not be propagated to your custom configuration.

Installed the fonts-droid package

As requested by Peter Jaap from Elgentos this package is now available. This means that the following fonts are now pre-installed:

# dpkg -L fonts-droid | grep ttf
/usr/share/fonts/truetype/droid/DroidSans-Bold.ttf
/usr/share/fonts/truetype/droid/DroidSans.ttf
/usr/share/fonts/truetype/droid/DroidSansArabic.ttf
/usr/share/fonts/truetype/droid/DroidSansFallback.ttf
/usr/share/fonts/truetype/droid/DroidSansHebrew.ttf
/usr/share/fonts/truetype/droid/DroidSansJapanese.ttf
/usr/share/fonts/truetype/droid/DroidSansMono.ttf
/usr/share/fonts/truetype/droid/DroidSansThai.ttf
/usr/share/fonts/truetype/droid/DroidSerif-Bold.ttf
/usr/share/fonts/truetype/droid/DroidSerif-BoldItalic.ttf
/usr/share/fonts/truetype/droid/DroidSerif-Italic.ttf
/usr/share/fonts/truetype/droid/DroidSerif-Regular.ttf

Small change to the app SPF record

The record is now less restrictive. The ?all modifier was added.

dig TXT spf.vdloo.hypernode.io | grep spf
; <<>> DiG 9.10.3-P4-Ubuntu <<>> TXT spf.vdloo.hypernode.io
;spf.vdloo.hypernode.io.        IN  TXT
spf.vdloo.hypernode.io. 599 IN  TXT "v=spf1 ip4:some_ip/24 include:spf.byte.nl ?all"

Also the _spf.hypernode.com is being deprecated. It was invalid due to it causing too many DNS lookups.