Unable to renew cert: OCSP Stapling Issue

Hello,

I've been using CSRs (and certhub.io) to manage cert renewal for a while. I'm actually puzzled why my certs all have OCSP stapling enabled, since my certhub/certbot config files never requested that feature.

However, it wasn't an issue until now - I am now unable to renew my certs, since certbot now aborts with the dreaded "remove OCSP stapling" error. My CSR does not have the OCSP stapling request in it, and my certbot CLI parameters also do not specify.

Here's the relevant CSR (I removed subject and keys)

Certificate request self-signature verify OK
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: <omitted>
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    <omitted>
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: 
                    DNS:ampache.holthausworld.us
                X509v3 Basic Constraints: 
                    CA:FALSE
                X509v3 Key Usage: 
                    Digital Signature, Non Repudiation, Key Encipherment
                TLS Feature: 
                    status_request
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        <omitted>

The certbot CLI parameters used are (removed email):

--non-interactive
--dns-cloudflare
--dns-cloudflare-credentials /etc/letsencrypt/certbot-cloudflare.ini
--dns-cloudflare-propagation-seconds 30
--agree-tos
--force-renewal
--server https://acme-v02.api.letsencrypt.org/directory
--email <omitted>

I was hoping, based on other articles that by ensuring that neither the CSR nor the CLI params specify OCSP stapling that LE would process the request - but that doesn't seem to be the case. Does anybody have a pointer to how I can force the renewal and get the OCSP stapling removed from my certs?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ampache.holthausworld.us

I ran this command:
certbot certonly --csr ampache.holthausworld.us.csr.pem

It produced this output:
2025-06-03 14:00:54,129:ERROR:certbot._internal.log:An unexpected error occurred:

2932025-06-03 14:00:54,129:ERROR:certbot._internal.log:Error finalizing order :: OCSP must-staple extension is no longer available: see Ending OCSP Support in 2025 - Let's Encrypt

My web server is (include version): NGINX 1.22 (Debian package)

The operating system my web server runs on is (include version): Debian 12.1

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 4.0.0

This confusing description is the "request OCSP must-staple" flag. So the manual CSR you're constructing somehow is including it.

That must've been the fastest helpful response I've ever received! Thanks so much - removing that got the renewal working.

Glad to hear it. In general, trying to manually make CSRs to integrate with certbot is probably the hardest way to accomplish what you're trying to accomplish; you should be able to have an ACME client (certbot or otherwise) automate everything, and run any scripts needed for deployment.