opnsense
security/acme-client: OCSP must-staple checkbox has no effect
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [x] The title contains the plugin to which this issue belongs
Describe the bug Similar to https://github.com/opnsense/plugins/issues/2234 which seems to have been fixed, but is (still?) broken again. Even before Let's Encrypt removed OCSP must-staple support, unchecking "OCSP must-staple" from the certificate would not fix https://github.com/opnsense/plugins/issues/2367. Now that they removed the support, my certificate fails to renew because OCSP must-staple doesn't exist anymore, even though the option is unchecked.
To Reproduce Steps to reproduce the behavior:
- Go to Service -> ACME Client -> Certificates
- Click on "Edit certificate"
- Uncheck "OCSP Must Staple"
- See error
Expected behavior The cert should renew without asking for OCSP stapling.
Screenshots
Relevant log files
[Thu Nov 6 18:29:13 CET 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Thu Nov 6 18:29:13 CET 2025] Please add '--debug' or '--log' to see more information.
}
"status": 403
"detail": "Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",
"type": "urn:ietf:params:acme:error:unauthorized",
[Thu Nov 6 18:29:13 CET 2025] {
[Thu Nov 6 18:29:13 CET 2025] Signing failed. Finalize code was not 200.
[Thu Nov 6 18:29:12 CET 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1309526986/444672974811'
[Thu Nov 6 18:29:12 CET 2025] Let's finalize the order.
[Thu Nov 6 18:29:12 CET 2025] Verification finished, beginning signing.
Do you mean System Logs too?
2025-11-19T00:00:03 opnsense AcmeClient: validation for certificate failed: opnsense.tld.com
2025-11-19T00:00:03 opnsense AcmeClient: domain validation failed (dns01)
2025-11-19T00:00:03 opnsense AcmeClient: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --renew --syslog 6 --log-level 1 --server 'letsencrypt' --dns 'dns_njalla' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/65032cc782f3c8.14070861' --certpath '/var/etc/acme-client/certs/65032cc782f3c8.14070861/cert.pem' --keypath '/var/etc/acme-client/keys/65032cc782f3c8.14070861/private.key' --capath '/var/etc/acme-client/certs/65032cc782f3c8.14070861/chain.pem' --fullchainpath '/var/etc/acme-client/certs/65032cc782f3c8.14070861/fullchain.pem' --domain 'opnsense.tld.com' --days '60' --keylength 'ec-384' --ecc --accountconf '/var/etc/acme-client/accounts/65032c788c5807.03736579_prod/account.conf''
2025-11-19T00:00:00 opnsense AcmeClient: using challenge type: dns01
2025-11-19T00:00:00 opnsense AcmeClient: account config is valid (CERT_HOME): account
2025-11-19T00:00:00 opnsense AcmeClient: account is registered: account
2025-11-19T00:00:00 opnsense AcmeClient: using CA: letsencrypt
2025-11-19T00:00:00 opnsense AcmeClient: renew certificate: opnsense.tld.com
2025-11-19T00:00:00 opnsense AcmeClient: certificate must be issued/renewed: opnsense.tld.com
I have the same Problem, OCSP Must Staple is deactivated in the UI but still present in the config file:
Multiple people have already encountered this problem: https://forum.opnsense.org/index.php?topic=48923.0
The "enable OCSP, save, disable OCSP, save" trick he mentions in the forum post worked, my cert renewed successfully after doing that.
I think the best thing would be to remove the OCSP option completely, because it doesn't work anyway