Migration from OCSP to CRL

Its official that OCSP is now drop, so I will need to migrate all my server to include CRL instead. However I cant find information on how to get CRL certs, so currently my www.9cubes.com is getting "Validation error
CRL ERROR: IOException occurred" from www.ssllabs.com

Need help in getting this solved. Currently, the command SSL stapling

	#ssl_stapling on;
	#ssl_stapling_verify on;

and add

ssl_crl /etc/location/cert.pem 

However, I believe I'm choosing the wrong pem out of 4 PEM available, which is
cert, fullchain, chain, and privkey. Does anyone know which one?

I really appreciate any help anyone can provide.

Somewhat ironically the nginx ssl_crl directive docs at Module ngx_http_ssl_module are failing to load for me currently but you seem to have fixed this now?

2 Likes

@KingRichard, welcome to the community! :slightly_smiling_face:

I use the following command to manually retrieve the URI of the CRL for a given certificate:

openssl x509 -noout -text -in '<certificate>' | sed -n -e '/X509v3 CRL Distribution Points:/,$ { /URI:/ { s/^.*URI:// p; q } }'
2 Likes

This is not needed:

Specifies a file with revoked certificates (CRL) in the PEM format used to verify client certificates.

4 Likes

Yeah as @tob says, that directive seems to be only required for client certs.

1 Like

hi everyone, first of all thank you for all the help. However still confuse on how to solve problem from www.ssllabs.com result which is pointing out that an error occurs

CleanShot 2025-07-20 at 13.57.21

so I'm still not sure on how to fixed this. Maybe you guys have some idea?

hi, wondering what should I do for lets encrypt? will this get its CRL certificate?

I think this error is between SSLLabs and Let's Encrypt. Nothing you can correct yourself.

3 Likes

Unlike OCSP stapling, I believe CRL is needed on the opposite side of the TLS connection to verify the validity of the certificate presented. I think you are configuring an HTTPS server, so the CRL is needed only on the web client side.

3 Likes

Yes, my fellow volunteers are correct: from the webserver side there's nothing you can do with regard to CRLs for regular server certificates. They can't be stapled like OCSP responses. That would be insane, stapling such a large data blob to the handshake compared to small OCSP responses.

It's the job of the client to read out the CRL URI and, if they want to, fetch it and check it. Or use one of the other derivative implementations like CRLite.

5 Likes

Got it. So basically, we will be unable to fix this error. However, its HTTPS is already fixed and secure. right? Again, thank you, everyone appreciated

1 Like

Yes, your A+ score at SSL Labs indicates that.

Interestingly, I ran an SSL Labs test for your domain late last night and it did not show the CRL IO error. Although, it does again this morning. Other domains sometimes show that error and sometimes not. It is definitely a problem with the SSL Labs test itself.

See, for example, letsencrypt.org shows the same error: SSL Server Test: letsencrypt.org (Powered by Qualys SSL Labs)

Update: The error is already reported at their github. See: CRL ERROR: IOException occurred · Issue #975 · ssllabs/ssllabs-scan · GitHub It was reported about a year ago so not hopeful for rapid fix

4 Likes