From 0b688aaabbce96038135240616b7592fdfd3e4ff Mon Sep 17 00:00:00 2001 From: "J.C. Jones" Date: Mon, 9 Dec 2024 11:19:07 -0700 Subject: [PATCH] Remove suggestion for OCSP Stapling from the Integration Guide --- content/en/docs/integration-guide.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/content/en/docs/integration-guide.md b/content/en/docs/integration-guide.md index 1126652b2..e28963c38 100644 --- a/content/en/docs/integration-guide.md +++ b/content/en/docs/integration-guide.md @@ -3,7 +3,7 @@ title: Integration Guide linkTitle: Client and Large Provider Integration Guide slug: integration-guide date: 2016-08-08 -lastmod: 2020-12-08 +lastmod: 2024-12-09 show_lastmod: 1 --- @@ -88,12 +88,6 @@ If you want to use the http-01 challenge anyhow, you may want to take advantage Related to the above two points, it may make sense, if you have a lot of frontends, to use a smaller subset of servers to manage issuance. This makes it easier to use redirects for http-01 validation, and provides a place to store certificates and keys durably. -# Implement OCSP Stapling - -Many browsers will fetch OCSP from Let's Encrypt when they load your site. This is a [performance and privacy problem](https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/). Ideally, connections to your site should not wait for a secondary connection to Let's Encrypt. Also, OCSP requests tell Let's Encrypt which sites people are visiting. We have a good privacy policy and do not record individually identifying details from OCSP requests, we'd rather not even receive the data in the first place. Additionally, we anticipate our bandwidth costs for serving OCSP every time a browser visits a Let's Encrypt site for the first time will be a big part of our infrastructure expense. - -By turning on OCSP Stapling, you can improve the performance of your website, provide better privacy protections for your users, and help Let's Encrypt efficiently serve as many people as possible. - # Firewall Configuration To use Let's Encrypt, you need to allow outbound port 443 traffic from the