Skip to content

Do not reuse CSR if OCSP must-staple is enabled #879

New issue
New issue
Open
Open
Do not reuse CSR if OCSP must-staple is enabled#879
@Ayesh

Description

@Ayesh
Ayesh
opened on Jun 1, 2025

Is your feature request related to a problem? Please describe.

LetsEncrypt is dropping support for OCSP, and requesting certificates with OCSP must-staple bit now fails.

https://letsencrypt.org/2024/12/05/ending-ocsp/

May 7, 2025

- On this date all requests including the OCSP Must Staple extension will fail

getssl reuses the CSR files, so this results in a failed renewal if a domain previously used must-staple.

Describe the solution you'd like

In a new version, automatically remove the must-staple part from the CSR, or recreate the CSR if it contains the must-staple bit.

Alternately, we can make this a bit more controlled by recreating the CSR if the -f flag is set. One more way I can think of is adding a new flag, --force-new-csr that will recreate the new CSR file.

Describe alternatives you've considered

Without an automatic CSR recreation or a flag, if a server has several certificates, they will have to find and remove all CSR files. It's not really time-consuming, but if we can automate it, it can help avoid some surprises.

Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions