Skip to content

nginx OCSP stapling is mostly obsolete

Severity: lowApplies to: nginx 1.25+Applies to: nginx 1.30 / 1.31Applies to: Let's Encrypt certificates
The fix
# If your certificate is from Let's Encrypt: delete these lines.
# They have had no effect since August 2025.
#
# ssl_stapling on;
# ssl_stapling_verify on;

If your CA still operates an OCSP responder, stapling is still worth enabling — the config for that is at the bottom of this page.

OCSP stapling was standard advice for a decade: the server fetches a signed “this certificate is still valid” response from the CA and staples it to the handshake, so the browser doesn’t have to ask the CA itself — which is slow and leaks the user’s browsing to the CA.

That privacy problem is what ended it. Let’s Encrypt turned off its OCSP service on 6 August 2025, having announced it in December 2024, and it now publishes revocation information exclusively via Certificate Revocation Lists. It also stopped including OCSP URLs in certificates more than 90 days before the shutdown, so by now every Let’s Encrypt certificate carrying one has expired.

The consequence for your config is direct: ssl_stapling on tells nginx to fetch an OCSP response using the URL in the certificate. There is no URL. There is nothing to fetch, nothing to staple, and nothing happens.

It fails quietly, which is the annoying part

Section titled “It fails quietly, which is the annoying part”

nginx does not treat this as an error. The handshake works, the site is fine, and the only trace is a warning in the error log:

[warn] no OCSP responder URL in the certificate

So a config that has been “hardened with OCSP stapling” since 2019 has been doing nothing for the past year, and the only way to know is to look for a warning nobody greps for. This is why the page exists at low severity: it closes no exposure. It stops you believing in something that isn’t happening, and it removes a line that will confuse the next person who reads the config.

Revocation still works. Browsers use CRL-based mechanisms — Firefox’s CRLite and Chrome’s CRLSets — which ship revocation data to the browser out of band. That was already how revocation mostly worked in practice, because browsers had largely stopped doing live OCSP lookups years ago. Nothing regressed; a mechanism that had already been quietly bypassed got switched off.

Not every CA has followed. If yours still publishes a responder URL, stapling is still a small performance and privacy win:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
resolver 127.0.0.53 valid=300s;
resolver_timeout 5s;

ssl_stapling_verify on requires ssl_trusted_certificate pointing at the issuer chain, and stapling needs a working resolver because nginx must resolve the OCSP hostname itself. Both are omitted often enough that plenty of configs claiming to staple never did — even before Let’s Encrypt made the point moot.