Remove OCSP stapling

https://letsencrypt.org/2024/07/23/replacing-ocsp-with-crls.html

certbot/default-quic

@@ -1,5 +1,4 @@
 certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
-    --key-type ecdsa --must-staple \
-    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --key-type ecdsa
     --cert-name hostname.of.your.server \
     -d hostname.of.your.server

certbot/miniflux

@@ -1,5 +1,4 @@
 certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
-    --key-type ecdsa --must-staple \
-    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --key-type ecdsa
     --cert-name miniflux.yourdomain.tld \
     -d miniflux.yourdomain.tld

certbot/uptime-kuma

@@ -1,5 +1,4 @@
 certbot certonly --webroot --webroot-path /srv/nginx --no-eff-email \
-    --key-type ecdsa --must-staple \
-    --deploy-hook "certbot-ocsp-fetcher -o /var/cache/certbot-ocsp-fetcher" \
+    --key-type ecdsa
     --cert-name uptime.yourdomain.tld \
     -d uptime.yourdomain.tld

etc/nginx/conf.d/sites_default_quic.conf

@@ -13,5 +13,4 @@ server {
     ssl_certificate /etc/letsencrypt/live/hostname.of.your.server/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/hostname.of.your.server/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/hostname.of.your.server/chain.pem;
-    ssl_stapling_file  /var/cache/certbot-ocsp-fetcher/hostname.of.your.server.der;
 }

etc/nginx/conf.d/sites_miniflux.conf

@@ -9,7 +9,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/miniflux.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/miniflux.yourdomain.tld/chain.pem;
-    ssl_stapling_file  /var/cache/certbot-ocsp-fetcher/miniflux.yourdomain.tld.der;
 
     include snippets/universal_paths.conf;
     include snippets/hsts.conf;

etc/nginx/conf.d/sites_uptime-kuma.conf

@@ -11,7 +11,6 @@ server {
     ssl_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/uptime.yourdomain.tld/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/uptime.yourdomain.tld/chain.pem;
-    ssl_stapling_file  /var/cache/certbot-ocsp-fetcher/uptime.yourdomain.tld.der;
 
     include snippets/universal_paths.conf;
     include snippets/hsts.conf;

setup.sh

@@ -54,16 +54,6 @@ unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/sys
 chmod 644 /etc/systemd/system/nginx.service.d/override.conf
 sudo systemctl daemon-reload
 
-# Setup certbot-ocsp-fetcher
-unpriv curl https://raw.githubusercontent.com/tomwassenberg/certbot-ocsp-fetcher/main/certbot-ocsp-fetcher | sudo tee /usr/local/bin/certbot-ocsp-fetcher
-## Explicitly using /var/usrlocal/bin here because SELinux does not follow symlinks
-sudo semanage fcontext -a -t bin_t /var/usrlocal/bin/certbot-ocsp-fetcher
-sudo restorecon -Rv /var/usrlocal/bin/certbot-ocsp-fetcher
-sudo chmod u+x /var/usrlocal/bin/certbot-ocsp-fetcher
-sudo semanage fcontext -a -t httpd_config_t "/var/cache/certbot-ocsp-fetcher(/.*)?"
-sudo mkdir -p /var/cache/certbot-ocsp-fetcher/
-sudo chmod 755 /var/cache/certbot-ocsp-fetcher/
-
 # Setup nginx-create-session-ticket-keys
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys
 ## Explicitly using /var/usrlocal/bin here because SELinux does not follow symlinks