Nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: service nginx restart

It produced this output:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/etc/letsencrypt/live/truenas/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "

My web server is (include version): nginx v 1.20.1

The operating system my web server runs on is (include version):TrueNAS-12.0-U5.1

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.18.0

Hi @Volkodav welcome to the LE community forum :slight_smile:

If it shows that error every time nginx is restarted, then please post that file here.

Do you mean log error file? I have a feeling this whole mess is because of nginx version 1.20.1 and I read somewhere that OCSP is supported in =>1.3.7
error.log.txt (196.4 KB)

No, I mean for you to show the file in the error message:

fullchain.pem (5.5 KB) This one? Bad news is that a newer version is not available in package or in portree which was deprecated anyway

IT seems that, in your case, since it is using the default trusted path chain which ends with "DST Root CA X3 (expired)", nginx fails to find the relevant OSCP information needed.

I would try removing the last cert from the fullchain.pem file and restart nginx.
If that workaround fixes the problem, you will have to switch to using the alternate trust path chain.
If it does NOT fix the problem, please show the nginx vhost config file that serves that FQDN securely.

I don't think it has to do with that, as nginx usually only cares about OCSP info for the leaf. To me it looks like some weirdness is going on with the nginx config itself.

1 Like

Step by step...
Inch by inch...
Leaving no leaf unturned...
We will get to the bottom of this!

1 Like

nextcloud.conf.txt (6.7 KB)
Here is the config and I have no clue how to remove that one certificate from that bundle

VI ?
FTP out, edit with notepad (NOT WORDPAD), FTP back in ?

The ssl_trusted_certificate directive doesn't belong there. That's for:

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.

(Module ngx_http_ssl_module)

I see that you've commented out some lines. Can you uncomment them, but leave this specific directive commented? Don't forget to reload/restart nginx after making changes.

1 Like

Yeah I am cool with nano - let me try - I still think it must be the nginx version that's a show stopper here

1 Like

When you comment out those lines, then nginx may default to using whatever is in the main config.
Let's have a look at that file too.

Oooo look another leaf to look under!

1 Like


nginx.conf.txt (3.3 KB)

Did that - posted the output after nginx restart

These are being globally set:

  # SSL
  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;

  # Verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

  # OCSP Stapling
  ssl_stapling on;
  ssl_stapling_verify on;

I would remove the first three:

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;

I did - that's what happened

Please use complete sentences.
You did what exactly?

Removed those three as was advised

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;
  ssl_trusted_certificate /usr/local/etc/letsencrypt/live/truenas/chain.pem;