floof.org
Well this (attached link) is annoying.
I have my kind-of "beta-mode", kind-of production (but not for a huge number of sites, because of being kinda beta) web proxy/front end setup which I spent ages writing and still need to fully finish off, turn into a cluster rather than a SPoF, and write a control panel for, so that there's a configuration UI other than SQL.
One feature I specifically built into the certificate management was that it was to always *always* staple OCSP, so that no (modern) client should ever have to contact an OCSP responder itself, and it will switch to a backup certificate if an OCSP response expires and it can't get a valid replacement.
I guess I'm going to have to do yet more work on it to make it recognise certificates without an OCSP responder URL and ignore all the OCSP stapling logic for such certs and tolerate them not having OCSP responses to staple.
Oh well, I suppose the internet keeps changing and I should have known something would soon render all my work obsolete. Doesn't stop it being annoying.
Today we are announcing our intent to end Online Certificate Status Protocol (OCSP) support in favor of Certificate Revocation Lists (CRLs) as soon as possible.letsencrypt.org
