Update certificate to support OCSP Must Staple

Hi I have certbot 1.15.0 and a bunch of certificates atm.

How can I update the certificates to include --must-staple?

Also if I use a manual challenge such as DNS does this mean I need to complete the challenge everytime a certificate is due for renewal?


I think it should be enough to include the --must-staple option in combination with certbot renew.

A valid authentication is cached for 30 days and the advice is to renew after 60 days (i.e., 30 days before expiry), so yes, every normal renewal you are required to re-do the challenge. That's not reserved for the dns-01 plugin by the way, but for every challenge.

I would advice you to automate the validation of your hostnames, either switch over to the http-01 challenge (which is more easy to automate) if you don't require a wildcard certificate and have a working port 80 or script the adding and removing of the TXT RR for the dns-01 challenge.

Thank you I used the below command to change the challenge method. I'll now try updating one of the other certificates

`certbot renew --cert-name domain.com --must-staple --force-renewal -a nginx -w /etc/nginx/sites-available/`

Combining -a nginx and -w doesn't make much sense: the -w option is for the webroot authenticator, the nginx authenticator you're using now has it's own methods for authenticating the challenge without the use of a webroot.

Also, using /sites-available/ as webroot-path doesn't make much sense either, you're lucky the option isn't used :stuck_out_tongue:

Please read more about the certbot options in its documentation: User Guide — Certbot 1.15.0.dev0 documentation

1 Like

thank you, I will learn from this


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.