Hello guys, I have generated certificate for my domain with the --must-staple option but i can't connect to my ftp server through ssl connection because there is an error as provided below, somehow the server doesn't staple the response. Is there any option to force the stapling manually or to disable the ocsp stapling?
(Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.)
My domain is: alezciebiebambik.pl
I ran this command: connecting via Filezilla to my ftp server
It produced this output: 'The certificate requires the server to include the ocsp status on its response but the ocsp status is missing'
My web server is (include version):vsftpd 3.0.3
The operating system my web server runs on is (include version): debian 11 bullseye
My hosting provider, if applicable, is: on my own
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
my machine is on vps - digital ocean
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0
I haven't heard of FTPS doing OCSP stapling, though I think it theory it could be done. Really FTPS (doing FTP over TLS) isn't that popular, as most people use SFTP (doing file transfer over SSH). I'm not familiar with vsftpd, but if it supports OCSP stapling, you probably need to configure it to do so.
If you don't need stapling, then you could get a new certificate without the --must-staple option. But I don't know if we can advise you on whether you should do that as presumably there's a reason that you picked to do so, and the system looks like it's working properly of not allowing the certificate to be used without doing stapling.
Agree with Peter that not sure why you chose this way for ftp. But, if you need to ...
I did a quick peek at the vsftpd docs and I don't see any option that supports stapling. Further, it looks to only support RSA keys. Certbot 2.6 default is for an ECDSA cert. You might need to also use --key-type rsa when you re-issue your cert
I have configured automatic renew for the cert, does it mean that every next cert will require stapling? I used stapling option to obtain the highest possible security, back then I didn't know that I will have to configure vsftpd
The point of must-staple is specifically that if a server can't provide a valid OCSP response, then the client should reject the connection instead of connecting, rather than just warning or ignoring not being able to tell whether a certificate is revoked. If you don't need that functionality, and want to allow clients to connect regardless, then sure get a certificate without must-staple.
It's my understanding that you should be able to just do the same certbot command you did the first time to get the certificate, but without --must-staple this time, and it should get a new certificate and update the renewal configuration accordingly to not include it. But it's not something I've personally tried, so maybe someone else here has a better handle on how to update your certbot configuration.