Disabling OCSP Must Staple in Certbot

Help
1

OK, so simple question about the statement "please change your ACME client configuration to not request OCSP Must Staple"

The original cert was requested via cmdline with "--must-staple --staple-ocsp". The original /etc/letsencrypt/renewal/<domain>.conf for the domain did not have anything mentioning "staple" in it, though the dated renewal file DOES have "must_staple = True" in it.

To ensure subsequent renewals do not request OCSP Must Staple is it just a matter of removing that line in the dated file ? Or setting it to False ?

2

Actually I was a bit mistaken there ...

The dated /etc/letsencrypt/renewal/domain.conf file had the "must_staple = True" in it, and used cloudflare DNS for authentication when originally requesting the cert. I think this was auto-generated by certbot ?

The non-dated one is the live one, using webroot for authentication. That one does NOT have anything about staple in it.

So given that there is no config specifically requesting staple, does the fact that the existing cert have it make a difference ?

3

I am not sure what you mean by "dated". Do you mean a certificate "name" with '-0001' on the end?

In any case, if you don't need the one with must-staple you can delete it using:

sudo certbot delete --cert-name X

Where X is the cert-name from: sudo certbot certificates

Be sure you are not using it before deleting it: User Guide — Certbot 3.2.0.dev0 documentation

1 Like