No OCSP URL available

pleo87508 · June 2, 2025, 6:28pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hhdw.org

I ran this command:
After running Apache httdp server-status - in the section labeled Managed Certificates,
I saw the following output:

Domain: hhdw.org
Names: hhdw.org
Status: good
Valid: until 2025-08-18
CA: LetsEncrypt (https://acme-v02.api.letsencrypt.org/directory)
Stapling: on
CheckAt: |[crt.sh[rsa]]crt.sh | 7d33c82e88f4f3f1653aa861ace9f0464f139f31445c66be6ff1bebcb080224c
Activity: Renew 2025-07-10|

I clicked on the crt.sh URL above
When the crt.sh URL came up, under Revocation section, for OCSP Mechanism/status, there was another URL which I ran:

It produced this output:
Mechanism: OCSP
Provider The CA
Status No OCSP URL available
Last Observed in CRL - n/a
Last Checked (error) 2025-06-06 16:11:17 UTC

My web server is (include version):
Apache 2.4.63, with mod-status

The operating system my web server runs on is (include version):
MS Windows Server 2019 datacenter

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

Here's some of my configuration:
snippet from httpd-vhosts.conf

<VirtualHost 10.0.0.231:443>
	ServerName hhdw.org
	#### use http2, and permit acme to just use 443
	Protocols h2 http/1.1 acme-tls/1
	
	ErrorLog "logs/hhdw_443_error.log"
	CustomLog "logs/hhdw_443_access_%Y%m%d.log" combined

	SSLEngine on
	SSLInsecureRenegotiation off

	SSLProxyEngine on
	SSLProxyVerify none
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerExpire off
	SSLProxyCheckPeerName off


	#### Reverse proxy for this virtual host ####
		
	ProxyPreserveHost on
	ProxyRequests off
			
	<Proxy *>
		Require all granted
	</Proxy>

Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"

ProxyPass "/server-status" "!"
ProxyPass "/md-status" "!"
ProxyPass "/.svn" "!"
ProxyPass "/nmibis-admin" "!"
ProxyPass "/xmlrpc.php" "!"
ProxyPass "/wp-cron.php" "!"
###ProxyPass "/wp-login.php" "!"

####
	ProxyPass /report/ http://10.0.1.108/report/
	ProxyPassReverse /report/ http://10.0.1.108/report/
	ProxyPassReverseCookieDomain 10.0.1.108/report/ /report/
	ProxyPassReverseCookiePath "/report/" "/report/"
	
	ProxyPass / http://10.0.1.108/
	ProxyPassReverse / http://10.0.1.108/
	ProxyPassReverseCookiePath "/" "/"

	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

</VirtualHost>

For httpd-ssl.conf
everything is commented out except for:
SSLCipherSuite < list of acceptable ciphers>
SSLHonorCipherOrder on
SSLProtocol +TLSv1.2 +TLSv1.3
SSLProxyProtocol +TLSv1.2 +TLSv1.3

Note: I don't have SSLUseStapling set to on, because as I understand it, when using mod_md, it provides its only stapling method

Why am I seeing the No OCSP URL available in the Statud of the crt.sh output, after running check

ghen · June 2, 2025, 6:31pm

Welcome back!
Please see here: Ending OCSP Support in 2025 - Let's Encrypt

pleo87508 · June 2, 2025, 6:46pm

Thanks for such a rapid response. So now some questions, excuse my ignorance:
It sounds like the revocation is more critical for VPN use, correct?
If my application is purely a website running on SSL, it sounds like I don't need to be concerned, correct?
Finally is there anything I need to do with my current configuration?
I searched a little more after reading articles, but could not find any information.

petercooperjr · June 2, 2025, 7:03pm

Uh, no? I'm not sure what you're getting at. Let's Encrypt is still revoking certificates if needed, just using CRL rather than OCSP.

The only thing you might need to change on your website configurating is turning off OCSP stapling if you previously had it on.

Are you actually experiencing an issue? Are you just looking up your certificate and seeing that it doesn't have OCSP information and getting confused by that, or is there something you're seeing that isn't working right?

EinKantHolz · June 3, 2025, 10:26am

Same or similiar problem here. I have nginx Proxy manager running with a wildcard LE cert and Cloudflare for a lot of domains. It affects Bitwarden, Nextcloud and more. all on Firefox no longer reachable. But Opera, Edge and so on are working.

What must I do?

EinKantHolz · June 3, 2025, 10:33am

And it also affects Thunderbird and Bitwarden (app) not only the web-based frontend

petercooperjr · June 3, 2025, 10:58am

You should start your own thread in the Help section, filling out the questionnaire with information on your domain name and how you requested and installed the Let's Encrypt certificate. It's highly unlikely that whatever issue you're experiencing is related to OCSP URLs no longer being in Let's Encrypt's certificates.

pleo87508 · June 3, 2025, 3:10pm

There doesn't seem to be any issue that I can see. SSL Labs reports A+ rating. It was just that I was receiving No OSCP URL available, and I now understand that this is no longer supported.
As, I said in my original post, I don't have SSLUseStapling set to on, because as I understand it, when using mod_md, it provides its only stapling method.

So there doesn't seem to be any issue, and it sounds like since I do not have use stapling turned on that I don't need to do anything, correct?

SSL Labs gives me a URL for the CRL revocation information.

Is there a program available that I can use to parse that?

petercooperjr · June 3, 2025, 3:16pm

Correct.

To just, like, look at a CRL? It won't really do you a whole lot of good, it's basically just a list of certificate serial numbers to not trust anymore. But sure. If you download it, in Windows you can just double-click it to look at its properties and the list of revoked serial numbers. Or on systems with openssl, you can run something like openssl crl -in 41.crl -text -noout to view what's in it.

pleo87508 · June 3, 2025, 3:24pm

It is encrypted so I will use the openssl command.

So it sounds like, at least at this point everything is fine, and in retrospect, if I had known about the phasing out of OCSP, that I had/have nothing to worry about, Correct?

AND THANKS FOR you help and prompt replies!!!

petercooperjr · June 3, 2025, 3:27pm

It's technically just signed, not encrypted (there's nothing secret in there that you need a key in order to decode, just a key to confirm it's from the author you think it is). But it is in a binary format that won't make much sense without using a program that understands the CRL format, sure.

Yes. Nothing is wrong, everything is fine, there is no need to panic.

You're very welcome!

MikeMcQ · June 3, 2025, 3:36pm

Just adding clarity about mod_md stapling ...
mod_md offers its own OCSP stapling method (MDStapling) as an alternative to the one in mod_ssl. But, it is disabled by default.

Even if you had MDStapling enabled mod_md just skips the certificate if it has no OCSP URL.

See: Proper mod_md configuration for LE no longer supporting OCSP · Issue #367 · icing/mod_md · GitHub

In short, nothing you need to worry about

For reference, the MDStapling docs are here: mod_md - Apache HTTP Server Version 2.4

pleo87508 · June 3, 2025, 3:37pm

Thanks, again!

Topic		Replies	Views
Let’s Encrypt to End Support for Online Certificate Status Protocol (OCSP) Help	7	123	January 16, 2025
SOLVED: Apache's "built-in" OCSP stapling problem Help	9	3202	May 9, 2021
ISPConfig Lets Encrypt Renewal Help	5	1985	August 11, 2018
Fetching standalone OCSP result does not work Help	3	1808	December 17, 2017
Certificate expired - certs are not due for renewal yet Help	6	4122	December 4, 2018

No OCSP URL available

Related topics