Do we already have OCSP stapling implemented in ISPConfig for both acme.sh and certbot because I didn't see one yet? I think adding --ocsp-must-staple for acme.sh code and --staple-ocsp --must-staple for certbot code in ISPConfig, both on issuance and renewal of the LE certs, would suffice. Or are there any reasons not to implement this yet?
As far as know this is already happening, the arguments are not needed. You can test it on your own webserver with the command below. If you see "OSCP Response Status: successful", it's OK already. Code: openssl s_client -connect example.com:443 -status
Thanks. Nice test code, I will attempt this later, today. Anyway, I tested the same via SSL Labs and it confirmed the OCSP stapling (yes was the respond) but OCSP Must Staple is not confirmed (no was the respond). Any idea about the later?
AFAICS in my case I only get "OCSP response: no response sent"... but I guess it's my fault, having (wrongly!) tweaked the default vhost template at some point...
I added the above code into my ISPConfig servers (both letsencrypt.inc.php lib class file and 900-letsencrypt.inc.php class cron file) and for all LE certs that were renewed there after now OCSP Must Staple response is supported and OCSP stapling response is yes, in the SSL Labs Server Test. I would encourage the code to be added to ISPConfig so new and renewed LE certs will have both properly enabled but that is up to the developers.
Hear, hear! You've got all my support! Did you submit a merge request on GitLab? I just see the original (closed) issue there...
Nope. The original issue is just OCSP stapling but the OCSP must staple is not implemented yet, and there could be good justification / reason for it knowing the developers.
