Renewal: Preserve 'OCSP Must Staple' (option --must-staple)

[thomaszbz]

Description:

Via #2626, Certbot creates a certificate with OCSP Must Staple TLS extension when called with option --must-staple. Please note that this TLS extension is contained in the generated certificate file itself.

However, the option --must-staple is not stored in /etc/letsencrypt/renewal/www.example.com.conf. In my case:

[renewalparams]
installer = apache
authenticator = apache
rsa_key_size = 4096
account = abc

There also seems not to be an entry for OCSP Must Staple in the test file.

When executing certbot renew for renewal, certbot renews certificates without OCSP Must Staple, extension respectively.

Suggested Fix:

• For renewal, certbot should be aware that the old certificate was generated with --must-staple. That information should be stored in the [renewalparams] section, respectively.
• For certbot renew, the new certificate should be generated with --must-staple, in case the old certificate was generated with that extension.

Use case:

• I have some certificates which I want to renew with --must-staple, because e.g. apache supports that.
• I have other certificates which I use with other software (e.g. an ancient mailserver) which does not support OCSP at all.
• For certbot renew, certbot should be aware which one is which, using [renewalparams]. Otherwise, certbot renew would not qualify to be used for automation in my case.

Version:

certbot --version
certbot 0.9.3

OS: Debian 8, with certbot installed via official debian repository.

[pde]

Thanks for catching this!

[pde]

We should think about whether any other security enhancements should also be stored in renewal conf files -- most of them don't need to be, because they're one-off calls to the IInstaller.

[thomaszbz]

related: #3394

[thomaszbz]

Now that PR #3948 got merged and includes my commits, I think this issue should be solved and can be closed.