Hi everyone,
I came across the announcement that Let's Encrypt (LE) will be ending OCSP support in 2025. Does this mean we should proactively disable OCSP Stapling in our web server configurations? For Apache, I believe this would be done by setting (default = off):
SSLUseStapling Off
Would love to hear your thoughts or best practices regarding this change. Are there any potential downsides to disabling Stapling that we should consider?
Thanks in advance for your insights!
Cheers,
Andreas
Before the OCSP responders go offline (6 Aug), we'll remove the OCSP responder URLs from the issued certificates (7 May), which will remove the configuration webservers need to acquire the OCSP response to staple. So it will disable itself after the next renewal on or after 7 May.
Apache might emit a warning log or something at not being able to respect SSLUseStapling On but it won't error out or fail. (One of the concerns with Must-Staple is the part where most web servers would proceed without the staple rather than take corrective action.)
The configurations which will have trouble will be ones utilizing the more in-the-weeds configuration options like SSLStaplingForceURL (which would be problematic now with randomized intermediates anyway).
Thank you so much for your prompt response and the detailed information!
I really appreciate your help as always! 
Hey, this is perhaps too late to suggest but...
* January 30, 2025
* OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension
Have you considered leveraging the new automatic rate-limit pause for these users?
e.g. these users would get an immediate fail with the error message/link to unpause their account, which would only last until may 7th.
This would immediately alert the affected users, and light a fire for them to migrate.
That's an interesting idea! I don't think it's one we'll follow through on, though, largely because the pausing system simply isn't designed for that. It would take significant effort to modify that whole system to be able to serve error messages, links, and an "unpause yourself" page that are all talking about OCSP Must-Staple instead of Failed Authorizations.
Understood.
In the future, a generalized system like that might be useful for breaking platform changes. You could deny issuance for deprecated parameters unless there is a manual unpause on the account, and reset that monthly until the Subscribers migrate or the deprecated param becomes officially unsupported. Adding that friction to Issuance will really notify and motivate subscribers.