Certbot enhance --must-staple

Xan · May 21, 2019, 3:11pm

Hello,

I’ve been successfully using Let’s Encrypt on a particular domain for quite some time. I’ve chosen it to experiment with Must-Staple. So I issued the command:
$ certbot enhance --must-staple

certbot configured Apache to start stapling. But it didn’t create a new certificate. hmm. So I forced a renewal of the certificate. It renewed, no problem. But the renewed certificate does not have Must-Staple enabled.

Is something broken or am I doing something wrong?

JuergenAuer · May 21, 2019, 3:23pm

Hi @Xan

these are two different things.

Your server may have a Staple-configuration - active / inactive.
If that works, your certificate may have a must staple extension. But you have to add that flag when creating a new certificate.

https://certbot.eff.org/docs/using.html

--must-staple         Adds the OCSP Must Staple extension to the
                        certificate. Autoconfigures OCSP Stapling for
                        supported setups (Apache version >= 2.3.3 ). (default:
                        False)

So if you only renew a certificate the extension doesn't exist.

But if you add the extension, you must have a working staple support.

So

add the staple support, use that a few weeks.
If that works, create one certificate with that flag.

Sometimes there may be a curious error message if the certificate has that extension.

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

Hitting F5 helps

Xan · May 21, 2019, 3:37pm

Thanks for your response!

The documentation says that “enhance” is supposed to “Add security enhancements to your existing configuration”. So is the “–must-staple” enhancement misnamed? It sounds like you’re saying all it’s supposed to do is enable stapling on the server. That is a very different thing from Must Staple.

I’m not following on the distinction between a new certificate and a renewed certificate. A renewal is the issuance of a new certificate, is it not? Why can’t the renewed certificate have the Must Staple flag set? I don’t see any reason it can’t.

JuergenAuer · May 21, 2019, 3:48pm

PS: Rechecked the documentation.

"enhance" has no details.

To activate OCSP Stapling, you can use the --staple-ocsp parameter.

 --staple-ocsp         Enables OCSP Stapling. A valid OCSP response is
                        stapled to the certificate that the server offers
                        during TLS. (default: None)

No, that's only one part. You can use staple-ocsp with certificates that don't have the must-staple extension.

Xan · May 21, 2019, 3:52pm

You’re definitely right that “enhance” is poorly documented.

The documentation does say, though, that its purpose is to add SECURITY enhancements. If all it does is configure stapling (which is all it seems to be doing), then that is not a security enhancement. That’s a performance enhancement which does nothing for security. So I stand by my assertion that the “–must-staple” enhancement is broken:

“enhance” is intended for security, which failing to enable Must Staple is not achieving.
the enhancement is named “must-staple”, which is not what it seems to actually do.

system · June 20, 2019, 3:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.