My domain is: N/A (generic question)
The operating system my web server runs on is (include version): Debian 9.3
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hello everyone,
In order to improve revocation checking (in case it’s needed someday), I enable Must-Staple on every certificates. To not have to put the --must-staple
option everytime I generate new certificates, I’ve put these two lines in my /etc/letsencrypt/cli.ini
file:
staple-ocsp = True
must-staple = True
This is working great… unless for an exception: I’ve a certificate for my mail server to secure both IMAP and SMTP. But Postfix (my SMTP server) doesn’t support OCSP Stapling. So I’ve issued a certificate without Must-Staple
for my mail server and put must-staple = False
in the renewal file to overwrite the contrary directive of the cli.ini
.
Then, come the day of the renewal. The renewal is managed by certbot (by executing certbot renew
everyday in a cron task). Certbot seems to ignore the must-staple = False
of the renewal file and uses the must-staple = True
of the cli.ini
file. It also update the renewal file to replace must-staple = False
by must-staple = True
!!!
My questions are:
- Why certbot ignore the content of the renewal file?
- How to have certbot requesting certificates with
Must-Staple
by default while allowing to renew a certificate withoutMust-Staple
?
Thank you