Starting May 7th, subscribers will no longer be able to request certificates with OCSP Must-Staple. We’ve identified a small group of folks still requesting these certificates and want to proactively notify them about the upcoming end of life. We’re seeking feedback in the following areas:
- Line edits for clarity, accuracy, and readability
- Suggestions for any additional information to include
Thanks in advance!
Subject: Let's Encrypt: Action required: Disable OCSP Must Staple by May 7th
Hello,
Action is required to keep your certificates working.
The certificates for the hostnames below (issued by the Let's Encrypt account associated with this email address) use a feature called "OCSP Must Staple." We are ending our support for that feature, along with our support for OCSP in general, and replacing them with Certificate Revocation Lists.
After May 7th, 2025, requests for certificates with "OCSP Must Staple" will fail.
To ensure your certificates continue to automatically renew, please change your ACME client configuration to not request OCSP Must Staple.
These are the affected hostnames:
<hostname 1>
<hostname 2>
…
If you have further questions or need assistance, please post on our community forum: https://community.letsencrypt.org/
Thanks,
Let's Encrypt
11 Likes
Is there any service that requires reconfiguration when switching from a certificate with a "must staple" option to a normal certificate? If the answer is yes, then I suggest to include a phrase into the e-mail about a possible service reconfiguration requirement.
5 Likes
It might be helpful to have a list somewhere of how to reconfigure some common ACME clients to no longer request must-staple. Maybe it doesn't need to be in this email, but I feel like this email is pointing people here in order to get help with reconfiguring their client, and I don't know where to further point them to documentation for making the change, even for certbot. I see a --must-staple in the docs, but I don't know if that implies a --no-must-staple one can use with reconfigure, or if one needs to force a new cert (with the dreaded --force!) with all the same options but just without the --must-staple, or what. And that's just certbot, let alone all the other clients that one might be using. Even if we don't want a specific documentation page on the main web site, having a wiki forum post here with instructions for common clients would be helpful.
And now that I think about it, is there any way for the email to include the name of the ACME client that they've been using from the User-Agent? I just suspect a common question beyond "how do I change my ACME client configuration" will be "What is my ACME client", as some of these could have been set up many years ago and just running along without anyone currently knowing what's running where (Yay for automation, I suppose).
4 Likes
Thank you for the feedback, @bruncsak and @petercooperjr. I’ll work on adding short examples for a few popular ACME clients, highlighting which options should no longer be used when requesting certificates from Let’s Encrypt.
6 Likes
Perhaps rephrase that to stress the motivation, without requiring a clickthrough:
AFAIK, the "must-staple" configuration is an explicit opt-in on all clients – I don't think it's possible to request a certificate with that feature without knowingly doing so. This might be the result of a subscriber having no idea what they're doing, but perhaps note that this was an explicit request at some point?
You might also want to add something like:
If your organization requires using Must Staple, you can switch to another CA that still supports it. Please be warned there are security and privacy implications to using this extension, and other CAs are in the process of deprecating it as well.
5 Likes