If you are seeing this error this month (May 2025) and have tried searching the web for a fix you will find that there will be no fix that keeps SSL Stapling enabled.
2025/05/09 13:44:25 [warn] 22666#22666: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/letsencrypt/live/your-domain.com/fullchain.pem"There was an announcement in December of 2024 that laid out the following timeline:
- January 30, 2025
- OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension
- May 7, 2025
- Prior to this date we will have added CRL URLs to certificates
- On this date we will drop OCSP URLs from certificates
- On this date all requests including the OCSP Must Staple extension will fail
- August 6, 2025
- On this date we will turn off our OCSP responders
As a result certificates issued after May 7, 2025 no longer include OCSP URLs in the certificates and the warning above will show in the NGINX log. After August 6, 2025 any existing certificate that still relies on OCSP Stapling will not get a response from their servers.
The fix is to simply turn off OCSP Stapling as the feature is no longer available with LetsEncrypt certificates. If you are using certbot to install and manage your existing certificates you may have the following line in your nginx configuration.
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by CertbotOpen that file up with either vim or nano and find the following lines and comment them out with a #.
#ssl_stapling on;
#ssl_stapling_verify on;Double check your nginx configuration, particularly your server block if you are using those directives in other locations instead and comment them out for any domains using a LetsEncrypt certificate. Then test your nginx configuration.
root@lin:/etc/letsencrypt# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successfulThis should cut down on the log entries and have your configuration set up correctly for the change.