With the recent announcement of the retirement of OCSP stapling I wondered what is the correct way to phasing out the feature from a server.
I currently run an nginx with
ssl_stapling on; ssl_stapling_verify on;
and just disabling this leads to problems due to the stapling flag in the certificate being set.
Is it enough to swap the must_staple flag in /etc/letsencrypt/renewal/domain.conf, so the next extension of the certificate will not bear the OCSP stapling extension?
Let's Encrypt has not yet decided to e.g. continue supporting OCSP for certificates with the must_staple feature extension enabled or e.g. to either refuse or simply not add the must_staple flag when renewing.
My advice would be to follow What will happen to Must-Staple and the API Announcements - Let's Encrypt Community Support category while Let's Encrypt makes up their mind on what to do with regard to must_staple.
I think you will need to remove ssl_stapling_verify on.
I also think that would be necessary too.
But which ACME Client are you using,
and check its document as well.
And definitely follow Osiris’ advice above.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.