Is Let's Encrypt really going to break OCSP Must-Staple? I just got an email alerting me to reissue any Must-Staple certificates by May 7th.
OCSC with Must-Staple is the only way revocation isn't broken. I have perfectly functional revocation support right now. Why must I disable it?
Please see the links mentioned in the mail:
Let's Encrypt has decided that they will completely remove OCSP support this year. This of course breaks must-staple as a by-product (as it relies on OCSP), which is why you must disable it to avoid renewal failures later this year.
I wish to point out that this decision is bad, as it proposes to improve the revocation situation by making my revocation system work less well.
Hi Xan,
We know that this change is disappointing to some people, and that it can appear to be a step backwards for folks who have properly configured Must-Staple. But there's a difference between that and a "bad" decision -- one has to take many perspectives into account and weigh them against each other. The unfortunate truths are that we have to run CRL services to comply with root programs, that OCSP is a major privacy issue for people visiting sites that don't have Must-Staple configured, and that we don't have the resources to run both OCSP and CRLs side-by-side.
Again, I'm sorry that feels like a bad decision to you, but I can assure you that we wouldn't be taking this step unless we felt like we had to.
A post was split to a new topic: Disabling OCSP Must Staple in Certbot
Thanks for the reply, Aaron. You're right that "bad" was overstating it. But it's definitely true that this is a significant downgrade for my situation.
That said, resources are finite, and you can't please everyone all the time. Thanks for the service!
I agree, OCSP stapling (with Must-Staple) is an excellent way to enforce revocation.
Unfortunately,
is an illusion because revocation is fundamentally broken.
Ultimately, it's a cost-savings measure for Let's Encrypt, and the introduction of short-lived (6-day) certs sidesteps the need for revocation entirely, which is good.
In what way is revocation broken when using Must-Staple? (I mean, before May 7 when it gets broken on purpose.)
Because clients often still ignore the OCSP staple. 
Many clients prefer to lean on CRLs only these days, commanding their own revocations, which is unfortunate.
I didn't realize Chrome still didn't support it. Sheesh. So you're right!
What's frustrating is the amount of work it took to get it working properly: I had to write a daemon to fetch the OCSP responses and put them in the right place for nginx to find them, because nginx wasn't able to handle it properly. I suppose that was another symptom of the whole thing not really working.
Is it possible to keep OCSP only for LE certs with must-staple (i.e. put OCSP URLs and handle OCSP requests only for such certs)? Not sure if standards allow such situation but probably would decrease OCSP traffic and resolve privacy issues.
Hi
Could you explain me how i must do to disable OCSP must staple?
Thank you
@sasuk Please open a new thread in the Help category and we will help you. Answer as many of the questions you will be shown as you can. The solution depends on your circumstances.
That was mentioned at some point earlier as being on the table. It must have been rejected as requiring too many resources for not enough return.
Unfortunately it is not practical, no. Every additional infrastructure component we run both costs ongoing developer and SRE effort, and represents ongoing compliance burden. Although running OCSP just for certificates that request Must-Staple would be less expensive from a CPU and network perspective, it would be no less expensive from an engineering effort and compliance perspective, and those costs far outweigh the former.