Renewing Let’s Encrypt certificates error - OCSP discontinued Link to heading

For a few days I had a nagging email from my server that certbot had not managed to renew all of my certificates.

I renew my certificates well in time before they expire, so I knew that I had a bit of time before I really had to look into this.

Going through the logs, and then doing a “dry-run” (simply run certbot renew --dry-run), I saw the following error message:

Failed to renew certificate something.url.domain with error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Error finalizing order :: OCSP must-staple extension is no longer available: see [https://letsencrypt.org/2024/12/05/ending-ocsp](https://letsencrypt.org/2024/12/05/ending-ocsp).

From the linked web page I learned that:

OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP.

The bottom line is: Let’s Encrypt has discontined OCSP (but still supports CRL).

However, no instructions were provided on how to fix the error.

These are the steps for disabling OCSP stapling on an Apache webserver, so that certbot can renew your certificates:

  1. Update all individual site configuration files
  2. Reload Apache
  3. Update all individual Certbot renewal profiles
  4. Renew your certificates

Step 1: Update Apache configuration files Link to heading

First, find which files contain a Stapling directive:

$ grep -rl stapling /etc/apache2/

(or /etc/httpd or wherever your Apache configuration files live).

In each configuration file (e.g. /etc/apache2/sites-available/myurl.com.conf) there are two configurations that need to be disabled / removed to disable OSCP Staping:

SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
SSLUseStapling On

Step 2: Test your Apache configuration, and reload Apache Link to heading 

$ apachectl -t
Syntax OK
$ apachectl reload

Step 3: Update Certbot renewal profiles Link to heading

The default path for Certbot renewal profiles on my server is /etc/letsencrypt/renewal/. Look for a must_staple = True directive, and either set it to “False”, or delete it.

$ grep -rl staple /etc/letsencrypt/renewal

Look for the must_staple directive and set it to False, comment it, or remove it altogether:

[renewalparams]
...
must_staple = False

Step 4: Renew your certificates Link to heading

Now you should be able to renew your certificates. It’s a good idea to first do a dry-run to make sure everything will work:

$ certbot renew --dry-run

If that returns no errors, go ahead and actually renew your certificates:

$ certbot renew

I hope this helps!

Thanks to: https://mattzaskeonline.info/blog/2025-02/removing-staples-moving-away-lets-encrypt-oscp-stapling