Removing OCSP URLs from Certificates

Help
1

I am trying to understand if the upcoming change on May 7th will impact my site. Is there any change needed from my end?

My domain is:https://university.enlitly.com/

I ran this command: NA

It produced this output: NA

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.6 LTS

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

2

I wouldn't think so. Your most recent certificate did not have Must-Staple and your Apache server is not sending the optional stapled response.

What was it about the announcement you saw that made you concerned?

Which announcement was it?

3 Likes
3

Thank you for confirming. This is the email I received on Thu, Apr 24, 3:58 PM " Removing OCSP URLs from Certificates

Let’s Encrypt will be removing OCSP URLs from certificates on May 7, 2025 as part of our plan to drop OCSP support and instead support certificate revocation information exclusively via CRLs.

Subscribers can test this change by issuing certificates in our staging environment or with the tlsserver profile in production. On May 7, all certificate profiles will omit OCSP URLs. You can learn more about certificate profiles here.

This change means that all certificate requests with the OCSP Must-Staple extension will fail. Users will need to update their ACME client configurations to not request the extension. Support for OCSP Must-Staple requests had been disabled for a portion of subscribers, and as of May 7 it will be disabled for all.

Both OCSP and CRL are mechanisms to fetch certificate revocation information. Our certificates already include CRL URLs. Until we turn off our OCSP responders on August 6 of this year, you will still be able to query a certificate’s status via OCSP for certificates issued prior to this change.

If you have any questions, please open a help thread on our community forum."

1 Like
4

Only you can know every place you use that certificate and whether any of those places are affected. Some people use certs in private servers or other places that are impossible or difficult for anyone else to know about.

I only checked the specific link you provided for your site. If that Apache server is the only place you use that cert you should be fine.

4 Likes
5

Thank you. I appreciate your help.

2 Likes