Add --must-staple when renewing a certificate

My domain is:

I ran this command:
certbot renew --cert-name --must-staple --force-renewal

It produced this output: n/a

My web server is (include version): n/a (certificate was obtained with certonly and uses a dns challenge)

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

I have some existing certificates and I want to add the the OCSP Must Staple extension to them. I tried with the command above, and it completed with no errors: the certificate was renewed successfully, and must_staple = True was added to the renewal config. But when I checked the certificate afterwards (with openssl x509 -text), the certificate did not have the OCSP Must Staple flag. Interestingly, this worked fine when I tried the same with a staging certificate: after renewal the certificate had the flag as expected.


Hi @maxfliri

checking your domain there is the OCSP Must staple.

With my browser (FireFox), via

via SSL Server Test: (Powered by Qualys SSL Labs)

It's also clearly visible in the certificate itself with an OpenSSL output:

Well, this is embarrassing. You are right, but for some reason last night I could not see it, and I did check and recheck before opening this thread. Now I checked again, and tried again with another certificate, and yes everything works as expected. :weary:

Thank you so much for your time and help, it's much appreciated.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.