New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renewal: Preserve 'OCSP Must Staple' (option --must-staple) #3844
Milestone
Comments
thomaszbz
changed the title
Renewal: Preserve --oscp-must-staple
Renewal: Preserve OSCP --must-staple
Dec 3, 2016
thomaszbz
changed the title
Renewal: Preserve OSCP --must-staple
Renewal: Preserve 'OCSP Must Staple' (option --must-staple)
Dec 3, 2016
Thanks for catching this! |
We should think about whether any other security enhancements should also be stored in renewal conf files -- most of them don't need to be, because they're one-off calls to the |
thomaszbz
added a commit
to thomaszbz/certbot
that referenced
this issue
Dec 3, 2016
thomaszbz
added a commit
to thomaszbz/certbot
that referenced
this issue
Dec 3, 2016
related: #3394 |
thomaszbz
added a commit
to thomaszbz/certbot
that referenced
this issue
Dec 7, 2016
Now that PR #3948 got merged and includes my commits, I think this issue should be solved and can be closed. |
TheNavigat
pushed a commit
to TheNavigat/letsencrypt
that referenced
this issue
Feb 1, 2017
TheNavigat
pushed a commit
to TheNavigat/letsencrypt
that referenced
this issue
Feb 1, 2017
TheNavigat
pushed a commit
to TheNavigat/letsencrypt
that referenced
this issue
Feb 1, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
Via #2626, Certbot creates a certificate with
OCSP Must Staple
TLS extension when called with option--must-staple
. Please note that this TLS extension is contained in the generated certificate file itself.However, the option
--must-staple
is not stored in/etc/letsencrypt/renewal/www.example.com.conf
. In my case:There also seems not to be an entry for
OCSP Must Staple
in the test file.When executing
certbot renew
for renewal, certbot renews certificates withoutOCSP Must Staple
, extension respectively.Suggested Fix:
--must-staple
. That information should be stored in the[renewalparams]
section, respectively.certbot renew
, the new certificate should be generated with--must-staple
, in case the old certificate was generated with that extension.Use case:
--must-staple
, because e.g. apache supports that.certbot renew
, certbot should be aware which one is which, using[renewalparams]
. Otherwise,certbot renew
would not qualify to be used for automation in my case.Version:
OS: Debian 8, with certbot installed via official debian repository.
The text was updated successfully, but these errors were encountered: