Undo / redo a certbot renew command

Help
1

Everything working fine! …but…
used wrong arg in certbot command (below) and would like to undo/redo to get certs with --ocsp-staple instead of --must-staple

what is the right way to do this, please?
a) revoke the old ones and/or
b) delete older certs in /etc/letsencrypt…
c) hmm ?

domains: techduck.ca www.techduck.ca shc.techduck.ca wiki.techduck.ca family.techduck.ca
command:

certbot renew --must-staple

output: no error - manual renew worked great - certs all good.
sorry - apt upgrade gave me new kernel so reboot and no output available now.

apache -v

Server version: Apache/2.4.38 (Raspbian)
Server built: 2019-10-15T19:53:42
operating system:
Raspberry Pi OS (32-bit) Lite
Minimal image based on Debian Buster
Release date: 2020-05-27
Kernel version: 4.19
Version: May 2020
(actually installed 6 weeks ago but upgraded every day and have no copy of that image any longer so took this info from the raspberrypi.org/download site where i got the original install image)
hosting provider: myself
root login to harware: yes
No control panel

certbot --version

certbot 0.31.0

thanks ahead of time,

Bruce
beason@techduck.ca
see a photo of the rack https://www.techduck.ca

2

Hi @beason

that's not possible. Read

https://certbot.eff.org/docs/using.html

must staple is a certificate property, staple ocsp is a webserver property.

If you have (and you have) a certificate with must-staple, you need a server with staple ocsp.

If not, FireFox shows the expected error:

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

So add that:

sudo certbot --staple-ocsp

should do the job.

3

Thanks for your quick reply, JuergenAuer!

will read guide (lazy)
but first tried your command (guess i have individual certs :wink: big duh day for me.

so had a thought and cancelled but will do each individually

you folks are the best

ta4now
b

certbot --staple-ocsp

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: techduck.ca
2: family.techduck.ca
3: ns1.techduck.ca
4: shc.techduck.ca
5: wiki.techduck.ca
6: www.techduck.ca

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):

You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/family.techduck.ca.conf)

It contains these names: family.techduck.ca

You requested these names for the new certificate: techduck.ca,
family.techduck.ca, ns1.techduck.ca, shc.techduck.ca, wiki.techduck.ca,
www.techduck.ca.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/©ancel: c
User chose to cancel the operation and may reinvoke the client.

IMPORTANT NOTES:

  • To obtain a new certificate that contains these names without
    replacing your existing certificate for family.techduck.ca, you
    must use the --duplicate option.

    For example:

    /usr/bin/certbot --duplicate --staple-ocsp