Autoconfigure OCSP Stapling with --must-staple

certbot/client.py

@@ -398,6 +398,7 @@ class Client(object):
         hsts = config.hsts if "ensure-http-header" in supported else False
         uir = config.uir if "ensure-http-header"  in supported else False
         staple = config.staple if "staple-ocsp" in supported else False
+        must_staple = config.must_staple
 
         if redirect is None:
             redirect = enhancements.ask("redirect")
@@ -411,11 +412,11 @@ class Client(object):
         if uir:
             self.apply_enhancement(domains, "ensure-http-header",
                     "Upgrade-Insecure-Requests")
-        if staple:
+        if staple or must_staple:
             self.apply_enhancement(domains, "staple-ocsp")
 
         msg = ("We were unable to restart web server")
-        if redirect or hsts or uir or staple:
+        if redirect or hsts or uir or staple or must_staple:
             with error_handler.ErrorHandler(self._rollback_and_restart, msg):
                 self.installer.restart()
 

certbot/interfaces.py

@@ -201,9 +201,9 @@ class IConfig(zope.interface.Interface):
         "Email used for registration and recovery contact.")
     rsa_key_size = zope.interface.Attribute("Size of the RSA key.")
     must_staple = zope.interface.Attribute(
-        "Whether to request the OCSP Must Staple certificate extension. "
-        "Additional setup may be required after issuance. This does not "
-        "currently autoconfigure web servers for OCSP stapling. ")
+        "Adds the OCSP Must Staple extension to the certificate."
+        "Autoconfigures OCSP Stapling for supported setups "
+        "(Apache version >= 2.3.3 ).")
 
     config_dir = zope.interface.Attribute("Configuration directory.")
     work_dir = zope.interface.Attribute("Working directory.")