`must-staple = False` in renewal file overwritten by cli.ini


#1

My domain is: N/A (generic question)

The operating system my web server runs on is (include version): Debian 9.3

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hello everyone,

In order to improve revocation checking (in case it’s needed someday), I enable Must-Staple on every certificates. To not have to put the --must-staple option everytime I generate new certificates, I’ve put these two lines in my /etc/letsencrypt/cli.ini file:

staple-ocsp = True
must-staple = True

This is working great… unless for an exception: I’ve a certificate for my mail server to secure both IMAP and SMTP. But Postfix (my SMTP server) doesn’t support OCSP Stapling. So I’ve issued a certificate without Must-Staple for my mail server and put must-staple = False in the renewal file to overwrite the contrary directive of the cli.ini.

Then, come the day of the renewal. The renewal is managed by certbot (by executing certbot renew everyday in a cron task). Certbot seems to ignore the must-staple = False of the renewal file and uses the must-staple = True of the cli.ini file. It also update the renewal file to replace must-staple = False by must-staple = True!!!

My questions are:

  • Why certbot ignore the content of the renewal file?
  • How to have certbot requesting certificates with Must-Staple by default while allowing to renew a certificate without Must-Staple?

Thank you :slight_smile:


#2

Hi @Zoddo,

The trouble here is that cli.ini has higher priority than individual renewal configuration files because it’s considered equivalent to setting an option manually on the command line.

I’ll consider further how to do what you want and discuss it with my colleagues.


#3

@bmw mentioned that this is an outstanding issue:

So, we don’t have a clear way to do this now, but maybe we should. Sorry about that.

I guess the easiest workaround would be to remove the must-staple = True line in cli.ini and make your own shell script that wraps certbot for new issuance. Your script can add --must-staple by default for each new certificate. But for the one domain that doesn’t use it, you wouldn’t use this wrapper script for issuance. Then each domain will have its own must-staple status remembered in its individual renewal configuration file.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.