New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --must-staple flag #2667
Add --must-staple flag #2667
Conversation
9a1e68e
to
09a38c7
Compare
Reading the help for this flag, one might naively expect it to integrate with the Apache (and Nginx?) plugins to actually do the stapling. If not it should be clearly documented that it simply changes a property of the obtained cert and that (for now) the user will have to set things up manually. |
@sagi would you be interested in implementing the plugin-side of a must staple enhancement? |
Clarified the help text to indicate it doesn't do the autoconfiguration. |
@pde yes! thanks. I'll start working on it this weekend :) |
The relevant issue for the enhancement part is at #930. Leaving this PR open for now in case it requires modification as part of that work. |
@sagi have you started looking at this yet? Any thoughts on whether we should merge this PR as is, or wait for possible tweaks to match an Apache OCSP stapling component? |
@pde yes. Lets call the extension X, the minimum apache version that supports OCSP Stapling V, Letsencrypt client L, the My thoughts are: The gist is that X should be enabled by default and that X adds both the pseudocode:
|
Strongly disagree. Must Staple is still very new, and many servers (including Apache) are likely to have problems. I think the Must Staple extension should only be by request from adventurous users, but Stapling can be turned on by default because it's very low risk. |
Now that 0.5.0 is released, can we land this? |
This never got a "LGTM" from Sagi. Sagi, should we merge it? |
And @jsha, want to merge master? |
LGTM. |
Fixes #2626