Do not reuse CSR if OCSP `must-staple` is enabled

[Ayesh]

Is your feature request related to a problem? Please describe.

LetsEncrypt is dropping support for OCSP, and requesting certificates with OCSP must-staple bit now fails.

https://letsencrypt.org/2024/12/05/ending-ocsp/

May 7, 2025

- On this date all requests including the OCSP Must Staple extension will fail

getssl reuses the CSR files, so this results in a failed renewal if a domain previously used must-staple.

Describe the solution you'd like

In a new version, automatically remove the must-staple part from the CSR, or recreate the CSR if it contains the must-staple bit.

Alternately, we can make this a bit more controlled by recreating the CSR if the -f flag is set. One more way I can think of is adding a new flag, --force-new-csr that will recreate the new CSR file.

Describe alternatives you've considered

Without an automatic CSR recreation or a flag, if a server has several certificates, they will have to find and remove all CSR files. It's not really time-consuming, but if we can automate it, it can help avoid some surprises.

Thank you.