Thank you @Osiris and @MikeMcQ - I really appreciate your feedback.
I'm going to answer my own question with the pointer provided to the renewal config (today I learned), I wasn't aware of that before now.
$ sudo certbot --version
certbot 2.1.0
This is the renewal config for a cert issued before the OCSP changes:
$ cat ./darwin.tlsvps.com.conf
# renew_before_expiry = 30 days
version = 2.1.0
archive_dir = /etc/certbot/archive/darwin.tlsvps.com
cert = /etc/certbot/live/darwin.tlsvps.com/cert.pem
privkey = /etc/certbot/live/darwin.tlsvps.com/privkey.pem
chain = /etc/certbot/live/darwin.tlsvps.com/chain.pem
fullchain = /etc/certbot/live/darwin.tlsvps.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = ca7de859d4178e2e1805a9507b47aeff
rsa_key_size = 2048
must_staple = True
config_dir = /etc/certbot
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
webroot_path = /var/www/heartbeat/_well-known,
key_type = ecdsa
[[webroot_map]]
darwin.tlsvps.com = /var/www/heartbeat/_well-known
Here's my command for the server FQDN with --staple-ocsp removed (excuse the variables):
sudo /usr/bin/certbot \
certonly \
--agree-tos \
--cert-name "$fqdn" \
--config-dir /etc/certbot/ \
--domains "$fqdn" \
--email "$certbot_email" \
--key-path /etc/certbot/live/"$fqdn"/ \
--no-eff-email \
--rsa-key-size 2048 \
--server https://acme-v02.api.letsencrypt.org/directory \
--webroot \
--webroot-path "$www_prefix"/www/heartbeat/_well-known
As expected, this prompts for a renewal:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for darwin.tlsvps.com
The dry run was successful.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/certbot/renewal/darwin.tlsvps.com.conf)
What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for darwin.tlsvps.com
Successfully received certificate.
Certificate is saved at: /etc/certbot/live/darwin.tlsvps.com/fullchain.pem
Key is saved at: /etc/certbot/live/darwin.tlsvps.com/privkey.pem
This certificate expires on 2025-04-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
…and, for completeness, the post-renewal renewal config looks like this:
$ cat ./darwin.tlsvps.com.conf
# renew_before_expiry = 30 days
version = 2.1.0
archive_dir = /etc/certbot/archive/darwin.tlsvps.com
cert = /etc/certbot/live/darwin.tlsvps.com/cert.pem
privkey = /etc/certbot/live/darwin.tlsvps.com/privkey.pem
chain = /etc/certbot/live/darwin.tlsvps.com/chain.pem
fullchain = /etc/certbot/live/darwin.tlsvps.com/fullchain.pem
# Options used in the renewal process
[renewalparams]
account = ca7de859d4178e2e1805a9507b47aeff
rsa_key_size = 2048
config_dir = /etc/certbot
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = webroot
webroot_path = /var/www/heartbeat/_well-known,
key_type = ecdsa
[[webroot_map]]
darwin.tlsvps.com = /var/www/heartbeat/_well-known
When I diff the before & after, the only change is the removal of must_staple = True.
So, no more OCSP.
Thank you again @MikeMcQ & @Osiris - I really appreciate your guidance.