Just found out on my nginx log “ssl_stapling” ignored, no OCSP responder URL. Nginx does not get respond from Let’s Encrypt certificate url and Let’s Encrypt has deprecated OCSP stapling and moved to CRL.
Since Let’s Encrypt has deprecated OCSP stapling and moved to CRL (Certificate Revocation Lists), your Nginx configuration should be adjusted accordingly.
Previously, you might have had something like this in your Nginx config:
nginx
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
resolver 8.8.8.8 8.8.4.4;
With OCSP stapling no longer supported, you should remove ssl_stapling and ssl_stapling_verify directives. Instead, ensure that your certificate renewal process is robust, as CRLs are checked by clients rather than being proactively stapled by the server.
For Let’s Encrypt certificates, Nginx will continue to serve them normally, but clients will rely on CRLs to verify revocation status. You don’t need to configure anything additional in Nginx for CRL handling—browsers and clients will handle it automatically.
If you’re using Certbot for certificate management, just ensure it’s renewing certificates properly.