Important information about Certificates/CAs/OCSP Must-Staple
Zoey2936
released this
05 Dec 22:01
·
49 commits
to develop
since this release
Note: This is not a new release but an important information
Let's Encrypt has made an announcement today which has a huge impact on NPMplus, you can read it here: https://letsencrypt.org/2024/12/05/ending-ocsp
If you have any question/ideas etc. on this topic, please write a comment
What is OCSP/CRLs?
- first: OCSP, OCSP Stapling and OCSP Must-Staple are different things.
OCSP:
- With OCSP the client (Browser), asks the CA (Let's Encrypt) if the Certificate used by the web server was revoked
- This is a check done between CA and Client, NPMplus has no influence on this
- Revocation will be detected by the client if the client (re)checks for it (recheck because of cache which could exist)
- privacy problems since the CA knows things which it should not (can be disabled in Firefox/thunderbird settings, not sure about other clients, chrome doesn't even support this)
=> useful, but with a privacy problem, maybe takes some time to be detected because of cache - https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
OCSP Stapling without Must-Staple:
- your 30 days cert is valid on its own, but it is additionally verified by a “second certificate”
- always enabled for all certbot certs of NPMplus (also for migrated instances and also if you disable must-staple)
- the “second certificate” is valid only for 7 days
- the “second certificate” is requested by the web server from the CA (since nginx implementation is not the best, NPMplus uses certbot-ocsp-fetcher for this)
- no privacy problem since browser only talks to the web sever and not to the CA
- BUT: if the cert is compromised, the cert can still be used WITHOUT OCSP Stapling and through that revocation is not be detected by the client (if the client doesn't detect trough other ways client-CA OSCP/CRLs)
=> useless without must staple, see below - https://en.wikipedia.org/wiki/OCSP_stapling
OCSP Stapling with Must-Staple:
- same as above, but your 30 days cert is NOT valid on its own, it needs a “second certificate” to be valid
- this requirement is part of the cert itself (so not removable) and added while creating the cert (must-staple requirement is enabled by default with NPMplus for all certbot certs, but can be disabled via ENV)
- Revocation will be detected as soon as the “second certificate” expires and if the client support must-staple
=> useful, if supported by the client, maybe takes some time to be detected because of validity of “second certificate” - https://en.wikipedia.org/wiki/OCSP_stapling
CRLs
- the older technology to detect revocation
- CAs publish huge lists containing information about all revoked (and by date still valid) certificates and chrome/Firefox/thunderbird download collections of these lists
- Problem: because of size, lists may not contain all revoked certs
=> depends: if the revocation information of your cert is not included, then it is useless, otherwise it is ok - https://en.wikipedia.org/wiki/Certificate_revocation_list
My opinion on this (I mostly talk about Must-Staple)
- first I understand that they remove OCSP because of the costs they have through it and because of the privacy concern
- BUT I don't understand that they remove Must-Staple support, it is better then CRL
- They argue that most web servers have no good implementation for this, which is not fully true, like caddy which has good support for this or NPMplus itself through the certbot-ocsp-fetcher script ((free)nginx own implementation is not the best) ⇒ I don't think that this argument is big enough to revert to CRLs
- The argument with the client is sadly true, since chrome (and it forks) doesn't support must-staple, so the only big clients remaining are Firefox/thunderbird (not sure about WebKit/safari and other big mail clients like outlook)
What now?
- I must say, there is no good solution:
- Moving to ZeroSSL would be an option, but they have no CRLs support, which is important for chromium (and forks)
- Staying with Let's Encrypt would mean to lose Must Staple functionality
- But since a decision needs to be made and chrome is very important, I will stay with Let's Encrypt by default and instead change the default value of ACME_MUST_STAPLE, maybe stapling needs to be fully removed even if your custom CA supports it, but I will try to find a way to prevent this
- If ZeroSSL or any other public ACME supporting CA will have support for OCSP Stapling/Must-Staple and CRLs, then this will become the new default CA
When will the change happen?
- Before January 30, 2025 (the day Must-Staple will stop working for new instances)
- I have no date exactly, but I will try to have some releases until this change:
- at least on release mentioning this change in its changelog, in a few days
- in between (or maybe with the next release), I will sync the value of ACME_MUST_STAPLE with all renewal configs of certbot cert to make sure that certs which get renewed will have the same setting as the env (maybe I will also sync the ACME_SERVER env)
- and at some point ACME_MUST_STAPLE will be changed to false by default (and stapling may be removed) - maybe still in December
- ENVs set by you will not be overridden