Textpattern project websites: changes to TLS certificate issuance

gaekwad · 2025-01-28 19:10:16

I am forcing a reissue of all our self-hosted website TLS certificates to ensure we are compliant with changes happening at Let’s Encrypt, who are our TLS provider.

From Let’s Encrypt:

letsencrypt.org/2024/12/05/ending-ocsp/

Today we are providing a timeline for ending OCSP services:

January 30, 2025
OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension

May 7, 2025
Prior to this date we will have added CRL URLs to certificates
On this date we will drop OCSP URLs from certificates
On this date all requests including the OCSP Must Staple extension will fail

August 6, 2025
On this date we will turn off our OCSP responders

We are approaching the January 30, 2025 milestone. We are eligible for OCSP Must Staple requests as we’ve done it before, so in theory nothing will snap, but it’s cleaner if I request new certificates without the OCSP stuff.

I’ve started this process, and I expect to be done by the January 30, 2025 milestone.

Edit: provisionally done. I am waiting patiently for email reminders from Let’s Encrypt in case any domains haven’t been issued correctly.

If all goes well, you won’t even notice any changes.

If you find any of our websites are choking with a TLS (SSL) error, please let me know by raising an issue here or pinging an email to contact {at} textpattern.com.

Thank you.

Last edited by gaekwad (2025-01-28 20:44:06)

Bloke · 2025-01-28 22:25:44

I’d like to say I understand any of that stapling stuff, but I’d be lying. Presumably, if I have no idea what it is then it won’t affect my Let’s Encrypt certs for my own domains as I’m probably not using it.

Thank you for raising this and sorting it for the Txp domains, though. I’m so glad you have your ear to the ground. We’d be sunk without your continued support.

jakob · 2025-01-28 22:29:24

Will gladly echo that too!

gaekwad · 2025-01-28 22:30:39

Bloke wrote #338950:

Presumably, if I have no idea what it is then it won’t affect my Let’s Encrypt certs for my own domains as I’m probably not using it.

If you’re using certbot, check your renewal config for the domain (should be in /etc/letsencrypt/renewal/) – there may be a line in there that forces the stapling:

must_staple = True

If that’s missing, you’re fine. If it’s present, delete the whole line.

Thank you for raising this and sorting it for the Txp domains, though. I’m so glad you have your ear to the ground. We’d be sunk without your continued support.

I’d say the same for everyone else here, including yourself!

Bloke · 2025-01-30 17:36:36

gaekwad wrote #338952:

If you’re using certbot…

I am.

… check your renewal config for the domain (should be in /etc/letsencrypt/renewal/) – there may be a line in there that forces the stapling: must_staple = True... If that’s missing, you’re fine.

$> cd /etc/letsencrypt/renewal
$> grep -ir staple *
$> //crickets

All good :) Thank you for the precis.

gaekwad · 2025-01-30 17:39:56

Speaking of certbot, I’ve finally gotten around to tooling up ZeroSSL as an alternative TLS provider. I’ll be adding some more providers on the next round of server builds (~spring 2025).

Textpattern CMS

Textpattern CMS support forum

#1 2025-01-28 19:10:16