How to set up OSCP stapling on a LAMP stack?


I found this: Certbot Version 0.7.0

How to automatically configure OSCP stapling for Apache with certbot?


0.7.0 is incredibly old.

The answer to setting OCSP stapling is in your webserver documentation, or, if you just want the configuration line, on

Keep in mind that OCSP stapling and OCSP must-staple are different but related things. Current recommendation is to staple but not to use must-staple.


I added

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

to options-ssl-apache.conf

And apache wont restart. What am I missing? :smiley:

Apache usually complains in its logs. What do they say?

Also, make sure you have the right Apache version in the Mozilla generator. There are times when that matters.


I had to add the SSLUseStapling On inside the </VirtualHost> tags and the SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" outside the </VirtualHost> tags in /etc/apache2/sites-enabled/

Works now :smiley:

1 Like

How do I check if the cache is working?

And what are the recommendations for TLSA record for DANE?

I'd say the recommendation is to only use it on your MX fqdn, if at all.

Browsers don't check DANE, MTAs might.


Various SSL/TLS test sites show this information, for example


Expanding on what @9peppe said above - DANE is still (slowly) catching on. Most people using it with LetsEncrypt/Certbot are early adopters and have been ironing out the best workflows for deployment. Last I checked, there isn't any official guidance from LetsEncrypt/Certbot and there hasn't been a standardized common workflow for integrating it. There have been some issues with certain types of records invalidating others.

One of the better discussions on DANE here is: Understanding SMTP DANE implementation options - #6 by schoen as that topic has input of some ISRG/LetsEncrypt staff and many of the community mods.

I strongly suggest seaching for DANE in the archives and doing a reverse date search as "what works best" has been evolving a lot.


It turns out I don't have OCSP stapling working. Where can I download the CA bundle from? And do I download it to /etc/ssl?


1 Like

I get this error in the log: rejecting client initiated renegotiation

Do you recognize the IP being rejected?
That error sounds like it's something you do want to see.
[it sounds like an attempt at a down-grade attack]
I would be OK with rejecting all client-initiated renegotiations.

1 Like

Your OS should have that. If not, certbot has that (chain.pem)(a warning, tho: you need the certificate used to validate OCSP signatures, not the one used to validate leaf certificates -- right now they're the same, but that's not a given.)


Hi, Sorry about the late reply. How do I do so? Thanks

1 Like

Ah, I see. Yes, there is a bunch of IPV 4 and 6 I don't recognize.

I'm not sure what are you trying to do. The Mozilla SSL configurator should give you a fully working configuration for this.


I had to remove the SSLUseStapling On outside of the tags as well. Works now :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.