From d6905a12b189f38a150b2da54f105d977dbf49e7 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Fri, 27 Jun 2025 09:52:30 +0100
Subject: [PATCH] Drop OCSP checks as letsencrypt is dropping OCSP

---
 .../templates/default/check-certificate.erb   | 37 -------------------
 1 file changed, 37 deletions(-)

diff --git a/cookbooks/letsencrypt/templates/default/check-certificate.erb b/cookbooks/letsencrypt/templates/default/check-certificate.erb
index 319072b6b..23ab39127 100644
--- a/cookbooks/letsencrypt/templates/default/check-certificate.erb
+++ b/cookbooks/letsencrypt/templates/default/check-certificate.erb
@@ -37,43 +37,6 @@ if ssl
     puts "Certificate #{domains.first} on #{host} does not use ECDSA key type"
   end
 
-  digest = OpenSSL::Digest::SHA1.new
-  certificate_id = OpenSSL::OCSP::CertificateId.new(certificate, issuer, digest)
-  ocsp_request = OpenSSL::OCSP::Request.new.add_certid(certificate_id)
-
-  authority_info_access = certificate.extensions.find { |ext| ext.oid == "authorityInfoAccess" }
-  ocsp = authority_info_access.value.split("\n").find { |desc| desc.start_with?("OCSP") }
-  ocsp_uri = URI(ocsp.sub(/^.* URI:/, ""))
-
-  http_response = Net::HTTP.start(ocsp_uri.hostname, ocsp_uri.port) do |http|
-    path = ocsp_uri.path
-    path = "/" if path.empty?
-    http.post(path, ocsp_request.to_der, "Content-Type" => "application/ocsp-request")
-  end
-
-  basic_response = OpenSSL::OCSP::Response.new(http_response.body).basic
-
-  store = OpenSSL::X509::Store.new
-  store.set_default_paths
-
-  unless basic_response.verify(chain, store)
-    raise "OCSP response is not signed by a trusted certificate"
-  end
-
-  single_response = basic_response.find_response(certificate_id)
-
-  unless single_response
-    raise "OCSP response does not have the status for the certificate"
-  end
-
-  unless single_response.check_validity
-    raise "OCSP response is not valid"
-  end
-
-  if single_response.cert_status == OpenSSL::OCSP::V_CERTSTATUS_REVOKED
-    puts "Certificate #{domains.first} on #{host} has been revoked"
-  end
-
   subject_alt_name = certificate.extensions.find { |ext| ext.oid == "subjectAltName" }
 
   if subject_alt_name.nil?
-- 
2.39.5