@osiris: This bug is now fixed on staging. Please try again.
@jsha Hi, is the must-staple feature in production yet ?
And if anyone know : How to simply check if a certificate has the OCSP must-staple attribute? - Information Security Stack Exchange ?
Not yet, sorry. Our Ops team has been busy.
1 Like
Hi i found two points:
- I added an new DNS record for the test. But the server (staging) toggle between the old IP and the new one.
Even old and new one had an DNS TTL of 60sec. - The CSR i Generated always cause an Internal Server Error on the acme side.
Any hints ?
CSR: MIIBUzCB1wIBADAZMRcwFQYDVQQDEw50ZXN0LnN1Y2hlLm9yZzB2MBAGByqGSM49AgEGBSuBBAAiA2IABMZFTHnwtatfYkVTMTnqupRt6Ue/jcfCukBRPav35LrVJJ4Kr/Pvlk3YXTrbN7n0Tv8yp0atfLleqUBShoLbR/0jQkcKIpj4sTO9FN+onu5v9tuzyBv6iWLq87mepCK63aA/MD0GCSqGSIb3DQEJDjEwMC4wEQYIKwYBBQUHARgEBTADAgEFMBkGA1UdEQQSMBCCDnRlc3Quc3VjaGUub3JnMAwGCCqGSM49BAMCBQADaQAwZgIxAOiqqRhDw1WBwYJQXeNYthuun3r057/bc2PeitdHH/ZX8xOeVwDOtSfojUoeCOlZYQIxAKyT+qJ4i1RgTf+7E6L1xWsV/lKJRss+hmLzLgzPKZBNoSmDPmIR/eAoLZYTMoc+7g==
{"header": {"alg":"ES384","jwk":{"crv":"P-384","kty":"EC","x":"cB_MZcEEBpJnyKSj-za2rOSpOCO69Rtl1-tiQpHd4hReav96b4k71jRmYPZg6r5G","y":"_CRvh6A4OdQivpAkUGUfTuO84ZnLsDbgPpIxKVBXIYxE--Gi65IjOhypqdjG-fFE"}}, "protected": "eyJub25jZSI6ICJsZUk2UmxPOHhDNnMwb1l1b1VHWnhnU0UyMUp3NnFBU3pRZVFvWHFqLTUwIn0", "payload": "eyJyZXNvdXJjZSI6ICJuZXctY2VydCIsICJjc3IiOiAiTUlJQlV6Q0Ixd0lCQURBWk1SY3dGUVlEVlFRREV3NTBaWE4wTG5OMVkyaGxMbTl5WnpCMk1CQUdCeXFHU000OUFnRUdCU3VCQkFBaUEySUFCTVpGVEhud3RhdGZZa1ZUTVRucXVwUnQ2VWVfamNmQ3VrQlJQYXYzNUxyVkpKNEtyX1B2bGszWVhUcmJON24wVHY4eXAwYXRmTGxlcVVCU2hvTGJSXzBqUWtjS0lwajRzVE85Rk4tb251NXY5dHV6eUJ2NmlXTHE4N21lcENLNjNhQV9NRDBHQ1NxR1NJYjNEUUVKRGpFd01DNHdFUVlJS3dZQkJRVUhBUmdFQlRBREFnRUZNQmtHQTFVZEVRUVNNQkNDRG5SbGMzUXVjM1ZqYUdVdWIzSm5NQXdHQ0NxR1NNNDlCQU1DQlFBRGFRQXdaZ0l4QU9pcXFSaER3MVdCd1lKUVhlTll0aHV1bjNyMDU3X2JjMlBlaXRkSEhfWlg4eE9lVndET3RTZm9qVW9lQ09sWllRSXhBS3lULXFKNGkxUmdUZi03RTZMMXhXc1ZfbEtKUnNzLWhtTHpMZ3pQS1pCTm9TbURQbUlSX2VBb0xaWVRNb2MtN2cifQ", "signature": "v1-sVVtyp5GgT9jIlnLW3vX1MLhqSrzur45-aIOznq1gW1GURG8Rjb0BdIEMxoVAall-TitPpTDLk1TUp1yFKZh1MiLamjYb3UnodU1I1AOezd-ISFd005e6MFI_AdX9"}
391 ms POST https://acme-staging.api.letsencrypt.org/acme/new-cert HTTP-500 Internal Server Error {"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}
2016-04-06T18:32:50.205 INFO REQ-LOG (127.0.0.1 , 101700) ZIP( -1 < 669) in 11551(ms) for[200] GET https://127.0.0.1/acmeAdmin CipherSuite(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256) param:{"acmeServer":["https://acme-staging.api.letsencrypt.org/directory"],"addFQDN":["test.suche.org"],"keyLen":["384"],"keyTyp":["EC"]}
Very strange⌠I can get a RSA public key certificate with the must-staple feature, but when I use an ECDSA key (with must-staple), it malfunctions�
ECDSA itself is not the problem, but the combination ECDSA and Must-Staple isâŚ
Unfortunately, an internal server error is hard to debug⌠Could it be this line?
https://github.com/letsencrypt/boulder/blob/master/ra/registration-authority.go#L590
@Osiris should i fill an bug ticket for this ?
Since you can reproduce it. It should not be an fault on my implementation.
Already done ;)Â
Osiris opened the bug 1706 with an good description
Summary: This feature was not supported in the ECDSA profile.
Should be supported on production if it go live.
Attention: currently only OCSP-Staple is allowed as supported feature by 1.3.6.1.5.5.7.1.24.
Hi, any timeline when the EC fix will be available for testing in staging environment?
This is now fixed in staging. You should be able to issue ECDSA + Must-Staple certificates against staging.
Nice 
I can confirm that it is now working.
Sorry for the delay on this, all. We realized that our CP doesnât currently list the Must Staple extension as one of the ones we may provide in certificates. We need to update the CP before we can flip on the config. Thatâs taken a little longer than expected because the necessary staff members have been quite busy. Will post again once weâre able to turn it on.
Thanks,
Jacob
3 Likes
OK we will wait. Will i hope that this will not be an long term feature. If there is no time frame mentioned yet.
1 Like
You "should" also update your CPS:
keyUsage. This extension is present and marked critical. Bit positions for digitalSignature and
keyEncipherment are set
But keyEncipherment isn't set for ECDSA certificates:
Might wanna look into that 
Actually, from reading the CP, the CPS is the most logical choice to put the TLS Feature Extension too I think.
1 Like
Thanks for pointing that out! Iâll work on it.
@jsha: This probably is going to take some time I assume? Lawyers and stuffâŚ? I also assume it isnât worth waiting on a cert Iâd want to issue with Must-Staple, which is expiring in 10 days, right? 
Updating the CP / CPS doesnât require lawyers, but it requires approval from various people. It should happen soon but I definitely wouldnât recommend waiting to issue a certificate that is expiring so soon! You can always issue again afterwards. That wonât have the nice revocability properties you probably want, but the next round will. You can plan on spending the next 60 days finding stapling bugs in your web server. 
2 Likes
Ah cool an timeline, so next ask in two months.
1 Like
Must Staple is now live in production. You can use the new --must-staple flag in certbot if you build from master, or you can use the manual CSR method. Enjoy!
3 Likes
Great if works (suche.org)
Even with ECDSA
So is the CP /CPS also been updated right now ?