Hi, I’m using Certbot to manage a whole bunch of certificates and renewing them with a cron-job whenever they are due. All this worked really well until when I recently turned on OCSP must-staple for the main domain (where the same cert is used for different services).
While the webserver staples the OCSP responses properly (thats why I enabled it), the mail server (postfix) does not do and does not plan to .
Now, I have several options:
- Fix Postfix myself (not an actual option for me)
- Have unstapled certs with must-staple and tell all the mail clients to deal with it (since it is not just me on the mailserver, but quite a number of people, thats also not a feasible option)
- Drop the must-staple option from the cert (I’d really like to use the feature though)
- Use different certs for webserver and mailserver.
Option 4 is the one I’d like to go with, and therefore I wonder whether certbot can handle more than one certificate for a domain. While the multi-purpose cert would be the one with must-staple and would include a number of subdomains, the simple non-stapling cert would need to be only for the plain domain.
Any hints on how to configure certbot how to obtain this are very welcome.
In case this is not feasible, I’d like to get suggestions on how else to obtain this (preferrably in an automatable manner, e.g. via a different ACME client for the plain cert).
Thanks for reading so far