My domain is johnscott.me. I'm using a single Let's Encrypt-issued certificate for slapd 2.6, the directory server from the OpenLDAP project, as well as Apache 2.4 (usually following the latest upstream release). I do this from a Debian GNU/Linux Trixie ("testing") server running on a Linode virtual machine which I have full superuser privileges inside of. I don't use a control panel; I'm a Debian Maintainer for the project who calls the command line home. I'm using Certbot 2.9.0 installed from the official Debian package. (I understand that the Certbot folks strongly discourage the use of distro packages, but I respectfully disagree with their stance and am in a position to fix bugs in the package.)
This question doesn't pertain specifically to Let's Encrypt, but it's especially relevant to them. Also note that in this post I'm talking just about OCSP stapling generally, not the Must-Staple attribute.
Even if you don't wish to make OCSP stapling mandatory, I still admire that Certbot has a feature where it can help you set up OCSP stapling for servers that it knows about if you'd like (Apache being an example if you're using the Apache plugin). I therefore have this in the relevant configuration files: staple-ocsp = True
My question is "What does Certbot do when you ask it to set up OCSP stapling on your web server for you, but your CA doesn't use OCSP or advertise any responders in your certificate anyway?" I see two scenarios:
Maybe Certbot picks up on the fact that the certificate doesn't have designated OCSP responders, but since the administrator specifically asked for stapling and can't have it, it throws some kind of error.
Alternatively, maybe Certbot doesn't pick up on OCSP being unsupported, blindly configures Apache to serve up staples, and then it becomes Apache's problem when it can't find a responder.
The purpose of my question is that I like OCSP, so I'd like to keep having Certbot set up stapling for me as long as my CA (Let's Encrypt in this particular case) continues to advertise support for it. An option like try-staple-ocsp sounds like what I'm looking for.
Does anyone know what Certbot does in a weird case like this? A dirty hack I might investigate is having Certbot do auto-renewal with staple-ocsp = False, and if a post-renewal hook finds that the certificate still advertises OCSP responders, then I'll have my hook run a second Certbot command and/or configure Apache manually to staple away.
When Apache cannot find an OCSP URI in the certificate, despite being configured to use stapling, it will log these two errors on each start/reload:
[ssl:error] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [<cert details>]
[ssl:error] AH02604: Unable to configure certificate <cert> for stapling
Apache is known to start even when errors are present, and I have verified that the certificate is still served, though without stapling of course. An apache configtest does not flag this scenario, the error is only detected at runtime.
(As a side note, "the other" popular webserver nginx behaves slightly different: If nginx is configured to use stapling on a cert that doesn't support it, it will print a warning to stdout/stderr during restarts (relatively similar to Apache). However, unlike Apache, nginx does detect this issue during a "config test", i.e., nginx -t flags this)
The EFF's github for Certbot might be a better place to ask about this. Although, plenty of us here will likely reply anyway
Nummer pretty much sorted it but I'll add this much anyway. I apologize if this is rudimentary
Certbot generally follows the Mozilla SSL Generator (here) when setting up HTTPS VirtualHosts. So, enabling stapling with the --apache plugin just adds this outside of a VirtualHost (at least on Ubuntu).
And this inside the VirtualHost for port 443 for the specific domain
SSLUseStapling on
I'm just curious ... do you find Apache's stapling support robust? Did you consider mod_md stapling at all? Not being argumentative - just honestly curious. Thanks
Iirc apache have two staplers, one from mod-ssl and one from mod_md
Mod-ssls stapler is trash (it trashes request if cache is empty) mod_md stapler will run watchdog to keep staple fresh
