LetsEncrypt announced in December 2024, that they would be ending support for SSL Stapling.
The timeline for this was given as :
- January 30, 2025
-
OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension
-
May 7, 2025
-
Prior to this date we will have added CRL URLs to certificates
-
On this date we will drop OCSP URLs from certificates
-
On this date all requests including the OCSP Must Staple extension will fail
-
August 6, 2025
-
On this date we will turn off our OCSP responders
The error I was receiving in the /var/log/nginx/error.log, when nginx was restarted was:
"ssl_stapling" ignored, no OCSP responder URL in the certificate
The fix for this is easy. Open /etc/nginx/conf.d/ssl.conf in your favorite editor and comment out the following lines:
#ssl_stapling on;
#ssl_stapling_verify on;
Save the file, and
systemctl restart nginx
Should get you back up and running.