mod_md
mod_md copied to clipboard
icing
Proper mod_md configuration for LE no longer supporting OCSP
Long-time user of mod_md - love the module!
My current configuration enables mod_md to manage stapling of ALL domain certificates. But on 05/05/25, LE will drop support for OCSP. I would like mod_md to continue managing stapling for domains with static certificates while disabling stapling management for managed domains. Would the following configuration yield the desired setup?
Global Server Config
<IfModule md_module>
MDMustStaple off
MDStapling on
</IfModule>
SSLUseStapling off
Virtual Host NOT MD Managed
<VirtualHost>
SSLUseStapling on
</VirtualHost>
After testing the above configuration, mod_md continued to manage stapling for certificates of managed domains. This is wasteful since mod_ssl will never ask mod_md for stapling information per the global SSLUseStapling off setting. The following configuration seems to correct this:
Global Server Config
<IfModule md_module>
MDMustStaple off
MDStapling off
</IfModule>
SSLUseStapling off
<MDomain STATIC_CERTIFICATE_DOMAIN>
MDRenewMode manual
MDStapling on
</MDomain>
Virtual Host NOT MD Managed
<VirtualHost>
SSLUseStapling on
</VirtualHost>
@jmwebservices MDStapling is off by default. It does not hurt if you configure this, but it is not necessary.
If you disable MDStapling you "only" get the stapling implementation in mod_ssl. I think the one in mod_md is superior - but I may be biased.
When LE swiches off OCSP support, the certificates they issue will no longer carry a OCSP url. This will be detected by mod_md and it will then skip these for stapling checks. Do you see a need to do something beyond that?
@icing I was not aware that mod_md would skip the stapling checks when it receives a certificate without an OCSP url. However, wouldn't mod_ssl then perform stapling checks against LE certificates?
Can you confirm the last configuration I posted achieves the following?
mod_mdmanages certificates from LE for managed domains.mod_mddoes NOT manage stapling for managed domains.mod_mdDOES manage stapling for domains with static certificates.
@icing I was not aware that
mod_mdwould skip the stapling checks when it receives a certificate without an OCSP url. However, wouldn'tmod_sslthen perform stapling checks against LE certificates?Can you confirm the last configuration I posted achieves the following?
mod_mdmanages certificates from LE for managed domains.mod_mddoes NOT manage stapling for managed domains.mod_mdDOES manage stapling for domains with static certificates.
Yes, I believe that is what it would do.
@icing It is now quite obvious that my configuration changes were unnecessary given that mod_md and mod_ssl will not attempt stapling checks if the certificate does not have an OCSP Responder URL. All stapling settings can then remain enabled to benefit from mod_md's checks for static certificates that do carry an OCSP Responder URL.
So when LE turns off OCSP support, is the only required mod_md change is to set MDMustStaple off?
Thanks!
So when LE turns off OCSP support, is the only required
mod_mdchange is to setMDMustStaple off?
That is my expectation. Of course, we are talking about a future that has not arrived yet. But the module's test cases run mostly against pebble which is a server that emits certs without OCSP urls. So, I am quite confident.
I am seeing tons of errors like the following:
[Sun Jun 01 00:33:13 2025] [ssl:error] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [subject: CN=XXX / issuer: CN=R10,O=Let's Encrypt,C=US / serial: 06AEE4A445EB114642D4E8E98FDF562E51B9 / notbefore: May 29 07:04:42 2025 GMT / notafter: Aug 27 07:04:41 2025 GMT]
[Sun Jun 01 00:33:13 2025] [ssl:error] AH02604: Unable to configure certificate xxx.xxx.xx:443:0 for stapling
I believe this error is triggered by mod_ssl - not by mod_md. However, it is likely related to the topic in this issue where LE no longer staples certificates. I thought mod_ssl, like mod_md, would ignore stapling if the certificate did not specify an OCSP URI.