Hi,
I found this: Certbot Version 0.7.0
How to automatically configure OSCP stapling for Apache with certbot?
Thanks!
0.7.0 is incredibly old.
The answer to setting OCSP stapling is in your webserver documentation, or, if you just want the configuration line, on ssl-config.mozilla.org
Keep in mind that OCSP stapling and OCSP must-staple are different but related things. Current recommendation is to staple but not to use must-staple.
3 Likes
I added
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
to options-ssl-apache.conf
And apache wont restart. What am I missing? 
Apache usually complains in its logs. What do they say?
Also, make sure you have the right Apache version in the Mozilla generator. There are times when that matters.
4 Likes
I had to add the SSLUseStapling On inside the </VirtualHost> tags and the SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" outside the </VirtualHost> tags in /etc/apache2/sites-enabled/example.com-le-ssl.conf.
Works now
1 Like
How do I check if the cache is working?
And what are the recommendations for TLSA record for DANE?
I'd say the recommendation is to only use it on your MX fqdn, if at all.
Browsers don't check DANE, MTAs might.
4 Likes
Various SSL/TLS test sites show this information, for example ssllabs.com
3 Likes
Expanding on what @9peppe said above - DANE is still (slowly) catching on. Most people using it with LetsEncrypt/Certbot are early adopters and have been ironing out the best workflows for deployment. Last I checked, there isn't any official guidance from LetsEncrypt/Certbot and there hasn't been a standardized common workflow for integrating it. There have been some issues with certain types of records invalidating others.
One of the better discussions on DANE here is: Understanding SMTP DANE implementation options - #6 by schoen as that topic has input of some ISRG/LetsEncrypt staff and many of the community mods.
I strongly suggest seaching for DANE in the archives and doing a reverse date search as "what works best" has been evolving a lot.
4 Likes
It turns out I don't have OCSP stapling working. Where can I download the CA bundle from? And do I download it to /etc/ssl?
Thanks
1 Like
I get this error in the log: rejecting client initiated renegotiation
Do you recognize the IP being rejected?
That error sounds like it's something you do want to see.
[it sounds like an attempt at a down-grade attack]
I would be OK with rejecting all client-initiated renegotiations.
2 Likes
Your OS should have that. If not, certbot has that (chain.pem)(a warning, tho: you need the certificate used to validate OCSP signatures, not the one used to validate leaf certificates -- right now they're the same, but that's not a given.)
2 Likes
Hi, Sorry about the late reply. How do I do so? Thanks
1 Like
Ah, I see. Yes, there is a bunch of IPV 4 and 6 I don't recognize.
I'm not sure what are you trying to do. The Mozilla SSL configurator should give you a fully working configuration for this.
3 Likes
I had to remove the SSLUseStapling On outside of the tags as well. Works now 
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.