HPKP - HTTP Public Key Pinning Extension

[AnBuKu]

Based on IRC chat with drybjed I add this request here, and not to ansible-nginx.

HPKP is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities.

Read more about in links below.

Links:
https://tools.ietf.org/html/rfc7469
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
https://raymii.org/s/articles/HTTP_Public_Key_Pinning_Extension_HPKP.html
https://github.com/debops/ansible-nginx
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

[drybjed]

Just to clarify, HPKP needs a certificate file with full chain of intermediate certificates and root CA certificate included. This is done best in debops.pki role which currently handles for example combined key + certificate for certain applications. I'll add support for it with the role overhaul.

[ypid]

https://bettercrypto.org also has a nice summary how this can be done. Also, no need to fear this feature. There is a Report-Only option which we could maybe even make the default (at least for LE as it is unlikely that people would use another CA if they use LE), not sure yet if https://report-uri.io/ supports that or if there are other services like this. So there is no excuse for not enabling this 😉
Edit: https://report-uri.io/ requires registration so it would be difficult to enable Report-Only by default unfortunately.

The requirements that @drybjed mentioned have been implemented by @drybjed in the meantime.

[AnBuKu]

For the record: OWASP about Certificate and Public Key Pinning and Transport Layer Protection Cheat Sheet with quite useful, practical/hands-on hints and checklists