Checking for required OCSP URLs

kghbln · April 25, 2025, 6:29am

Instead of going through the CSV file offered via this post, isn't it easier to check for the setting with grep -r must_staple /etc/letsencrypt/renewal. If you get no results, one should be safe, yes?!

Moreover, all renewals after January 30, 2025, should have failed, which is also a good indicator that one is safe here.

I am asking because a cert issued on April 5, 2025, emits http://r10.o.lencr.org as the OSCP URI, which is confusing me.

openssl s_client -connect wiki.bvrk.de:443 -servername wiki.bvrk.de </dev/null 2>/dev/null \
  | openssl x509 -noout -ocsp_uri
http://r10.o.lencr.org

Just checking if my quick and dirty assessment is correct. I do not relly understand much of the inner workings of certs and stuff. Cheers

aarongable · April 25, 2025, 6:51am

You're safe!

The reason the blog post doesn't say to inspect /etc/letsencrypt/renewal is that not everyone has that directory: it is specific to Certbot, but there are many other ACME clients out there which use different on-disk storage locations and formats.

And don't worry about your openssl output: every cert (until May 7, and unless you request the tlsserver profile) contains an OCSP URI. You only have a problem if the cert also contains the OCSP Must-Staple extension, which yours does not.

kghbln · April 25, 2025, 6:53am

Cool. Thanks a lot for your insight. I appreciate it a lot. Yeah, I only thought about my little cert environment run with certbot.

Topic		Replies	Views
Disabling OCSP Must Staple in Certbot Help	3	559	February 26, 2025
Removing OCSP URLs from Certificates Help	4	84	May 5, 2025
Removing OCSP URLs from Certificates API Announcements	1	770	May 7, 2025
Requesting feedback on a draft email for subscribers currently using OCSP must-staple Site Feedback	26	599	March 20, 2025
Certbot 2.11.1 point release Client dev	6	142	April 3, 2025

Checking for required OCSP URLs

Related topics