Renewing Let's Encrypt certificates error - OCSP discontinued

3 minute
462 words
Tags:
#letsencrypt

Renewing Let’s Encrypt certificates error - OCSP discontinued

For a few days I had a nagging email from my server that certbot had not managed to renew all of my certificates.

I renew my certificates well in time before they expire, so I knew that I had a bit of time before I really had to look into this.

Going through the logs, and then doing a “dry-run” (simply run certbot renew --dry-run), I saw the following error message:

BASH 
Failed to renew certificate something.url.domain with error: urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Error finalizing order :: OCSP must-staple extension is no longer available: see [https://letsencrypt.org/2024/12/05/ending-ocsp](https://letsencrypt.org/2024/12/05/ending-ocsp).
Click to expand and view more

From the linked web page I learned that:

BASH 
OCSP and CRLs are both mechanisms by which CAs can communicate certificate revocation information, but CRLs have significant advantages over OCSP.
Click to expand and view more

The bottom line is: Let’s Encrypt has discontined OCSP (but still supports CRL).

However, no instructions were provided on how to fix the error.

These are the steps for disabling OCSP stapling on an Apache webserver, so that certbot can renew your certificates:

  1. Update all individual site configuration files
  2. Reload Apache
  3. Update all individual Certbot renewal profiles
  4. Renew your certificates

Step 1: Update Apache configuration files

First, find which files contain a Stapling directive:

BASH 
$ grep -rl stapling /etc/apache2/
Click to expand and view more

(or /etc/httpd or wherever your Apache configuration files live).

In each configuration file (e.g. /etc/apache2/sites-available/myurl.com.conf) there are two configurations that need to be disabled / removed to disable OSCP Staping:

BASH 
SSLStaplingCache shmcb:/var/run/apache2/stapling_cache(128000)
SSLUseStapling On
Click to expand and view more

Step 2: Test your Apache configuration, and reload Apache

BASH 
$ apachectl -t
Syntax OK
$ apachectl reload
Click to expand and view more

Step 3: Update Certbot renewal profiles

The default path for Certbot renewal profiles on my server is /etc/letsencrypt/renewal/. Look for a must_staple = True directive, and either set it to “False”, or delete it.

BASH 
$ grep -rl staple /etc/letsencrypt/renewal
Click to expand and view more

Look for the must_staple directive and set it to False, comment it, or remove it altogether:

BASH 
[renewalparams]
...
must_staple = False
Click to expand and view more

Step 4: Renew your certificates

Now you should be able to renew your certificates. It’s a good idea to first do a dry-run to make sure everything will work:

BASH 
$ certbot renew --dry-run
Click to expand and view more

If that returns no errors, go ahead and actually renew your certificates:

BASH 
$ certbot renew
Click to expand and view more

I hope this helps!

Thanks to: https://mattzaskeonline.info/blog/2025-02/removing-staples-moving-away-lets-encrypt-oscp-stapling

Start searching

Enter keywords to search articles

↑↓
ESC
⌘K Shortcut