"ssl_stapling" ignored, no OCSP responder URL in the certificate" Warning

[deepspaceaxolotl]

Bug description

Not sure if it is a bug, mainly just unsure of why this is happening and if there's a way to fix it. When my certificates get renewed, I get this warning for all of them:

[warn] 123#123: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/[subdomain.domain.tld].crt"

I've not modified any OCSP- or SSL stapling-related behaviour as far as I recall. I've only recently added the RESOLVERS environment variable to fix an error I was getting.

acme-companion image version

Info: running acme-companion version v2.6.0-2-g8da1790

nginx-proxy's Docker configuration

services:
    proxy:
        image: "nginxproxy/nginx-proxy"
        container_name: "proxy"
        volumes:
            - conf:/etc/nginx/conf.d
            - vhost:/etc/nginx/vhost.d
            - html:/usr/share/nginx/html
            - certs:/etc/nginx/certs
            - /var/run/docker.sock:/tmp/docker.sock:ro
        networks: ["server"]
        restart: "always"
        ports:
            - "80:80"
            - "443:443"
        environment:
            RESOLVERS: 8.8.8.8
    acme-companion:
        image: "nginxproxy/acme-companion"
        container_name: "acme-companion"
        volumes_from: ["proxy"]
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - acme:/etc/acme.sh
        environment:
            DEFAULT_EMAIL: <my email>
        networks: ["server"]
        restart: "always"
        depends_on: ["proxy"]

networks:
    server:
        external: true

volumes:
    conf:
    certs:
    vhost:
    html:
    acme:

Proxied container configuration:

services:
    client:
        image: nginx:latest
        container_name: "subdomain.domain.tld"
        restart: unless-stopped
        environment:
            VIRTUAL_HOST: subdomain.domain.tld
            VIRTUAL_PORT: 80
            LETSENCRYPT_HOST: subdomain.domain.tld
        volumes:
            - "./nginx.conf:/etc/nginx/nginx.conf"
            - "./src:/usr/share/nginx/html"
        networks: ["server"]

networks:
    server:
        external: true

rendered nginx configuration

2025/05/20 12:56:41 [warn] 126#126: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/subdomain.domain.tld.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/subdomain.domain.tld.crt"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# configuration file /etc/nginx/nginx.conf:

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /run/nginx.pid;


events {
    worker_connections  10240;
}
worker_rlimit_nofile 20480;


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

include /etc/nginx/toplevel.conf.d/*.conf;

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/default.conf:
# nginx-proxy version : 1.7.1-15-g554689c
# Networks available to the container labeled "com.github.nginx-proxy.nginx-proxy.nginx" or the one running docker-gen
# (which are assumed to match the networks available to the container running nginx):
#     server
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
    default $http_x_forwarded_proto;
    '' $scheme;
}
map $http_x_forwarded_host $proxy_x_forwarded_host {
    default $http_x_forwarded_host;
    '' $host;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
    default $http_x_forwarded_port;
    '' $server_port;
}
# Include the port in the Host header sent to the container if it is non-standard
map $server_port $host_port {
    default :$server_port;
    80 '';
    443 '';
}
# If the request from the downstream client has an "Upgrade:" header (set to any
# non-empty value), pass "Connection: upgrade" to the upstream (backend) server.
# Otherwise, the value for the "Connection" header depends on whether the user
# has enabled keepalive to the upstream server.
map $http_upgrade $proxy_connection {
    default upgrade;
    '' $proxy_connection_noupgrade;
}
map $upstream_keepalive $proxy_connection_noupgrade {
    # Preserve nginx's default behavior (send "Connection: close").
    default close;
    # Use an empty string to cancel nginx's default behavior.
    true '';
}
# Abuse the map directive (see <https://stackoverflow.com/q/14433309>) to ensure
# that $upstream_keepalive is always defined.  This is necessary because:
#   - The $proxy_connection variable is indirectly derived from
#     $upstream_keepalive, so $upstream_keepalive must be defined whenever
#     $proxy_connection is resolved.
#   - The $proxy_connection variable is used in a proxy_set_header directive in
#     the http block, so it is always fully resolved for every request -- even
#     those where proxy_pass is not used (e.g., unknown virtual host).
map "" $upstream_keepalive {
    # The value here should not matter because it should always be overridden in
    # a location block (see the "location" template) for all requests where the
    # value actually matters.
    default false;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header based on $proxy_x_forwarded_proto
map $proxy_x_forwarded_proto $proxy_x_forwarded_ssl {
    default off;
    https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost escape=default '$host $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_addr"';
access_log off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305';
    ssl_prefer_server_ciphers off;
error_log /dev/stderr;
resolver 8.8.8.8;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_set_header Host $host$host_port;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $proxy_x_forwarded_host;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
proxy_set_header X-Original-URI $request_uri;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
    server_name _; # This is just an invalid value which will never trigger on a real hostname.
    server_tokens off;
    access_log /var/log/nginx/access.log vhost;
    http2 on;
    listen 80;
    listen 443 ssl;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/default.crt;
    ssl_certificate_key /etc/nginx/certs/default.key;
    location ^~ / {
        return 503;
    }
}
# subdomain.domain.tld/
upstream subdomain.domain.tld {
    # Container: subdomain.domain.tld
    #     networks:
    #         server (reachable)
    #     IPv4 address: <IPv4 address>
    #     IPv6 address: (none usable)
    #     exposed ports (first ten): 80/tcp
    #     default port: 80
    #     using port: 80
    server <IPv4 address>:80;
    keepalive 2;
}
server {
    server_name subdomain.domain.tld;
    access_log /var/log/nginx/access.log vhost;
    listen 80 ;
    # Do not HTTPS redirect Let's Encrypt ACME challenge
    location ^~ /.well-known/acme-challenge/ {
        auth_basic off;
        auth_request off;
        allow all;
        root /usr/share/nginx/html;
        try_files $uri =404;
        break;
    }
    location / {
        if ($request_method ~ (OPTIONS|POST|PUT|PATCH|DELETE)) {
            return 301 https://$host$request_uri;
        }
        return 301 https://$host$request_uri;
    }
}
server {
    server_name subdomain.domain.tld;
    access_log /var/log/nginx/access.log vhost;
    http2 on;
    listen 443 ssl ;
    ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_certificate /etc/nginx/certs/subdomain.domain.tld.crt;
    ssl_certificate_key /etc/nginx/certs/subdomain.domain.tld.key;
    ssl_dhparam /etc/nginx/certs/subdomain.domain.tld.dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/subdomain.domain.tld.chain.pem;
    set $sts_header "";
    if ($https) {
        set $sts_header "max-age=31536000";
    }
    add_header Strict-Transport-Security $sts_header always;
    include /etc/nginx/vhost.d/default;
    location / {
        proxy_pass http://subdomain.domain.tld;
        set $upstream_keepalive true;
    }
}

Containers logs

Please provide the logs of:

• your acme-companion container
• your nginx-proxy container (or nginx and docker-gen container in a three containers setup)

Info: running acme-companion version v2.6.0-2-g8da1790
Info: 4096 bits RFC7919 Diffie-Hellman group found, generation skipped.
Reloading nginx proxy (90d52d5c52772d37573e739825e432755848cb53565b590da8f2e42f4300fe49)...
2025/05/20 12:35:32 Generated '/etc/nginx/conf.d/default.conf' from 9 containers
2025/05/20 12:35:32 [warn] 40#40: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/subdomain.domain.tld.crt"
2025/05/20 12:35:32 [notice] 40#40: signal process started
2025/05/20 12:35:32 Generated '/app/letsencrypt_service_data' from 9 containers
2025/05/20 12:35:32 Running '/app/signal_le_service'
2025/05/20 12:35:32 Watching docker events
2025/05/20 12:35:32 Contents of /app/letsencrypt_service_data did not change. Skipping notification '/app/signal_le_service'
Creating/renewal subdomain.domain.tld certificates... (subdomain.domain.tld)
[Tue May 20 12:35:34 UTC 2025] Domains not changed.
[Tue May 20 12:35:34 UTC 2025] Skipping. Next renewal time is: 2025-05-21T21:57:18Z
[Tue May 20 12:35:34 UTC 2025] Add '--force' to force renewal.
Sleep for 3600s

Docker host

• OS: Debian GNU/Linux 12 (bookworm)
• Docker version: 28.1.1

[SchoNie]

This seems related: Ending OCSP Support in 2025

May 7, 2025
On this date we will drop OCSP URLs from certificates

https://kbeezie.com/nginx-ssl_stapling-ignored-ocsp-letsencrypt/

As a result certificates issued after May 7, 2025 no longer include OCSP URLs in the certificates and the warning above will show in the NGINX log. After August 6, 2025 any existing certificate that still relies on OCSP Stapling will not get a response from their servers.

But as the ssl_stapling on; & ssl_stapling_verify on is nginx-proxy logic it's hard to just ignore the OCSP full chain part just for Letsencrypt and should be handled in acme-companion. Maybe it is as easy as setting --ocsp-must-staple to false but I am not sure.

[buchdag]

@SchoNie yes this is definitely caused by the end of OCSP support on Let's Encrypt's side.

This can only be fixed on nginx-proxy's side with ssl_stapling / ssl_stapling_verify. Since the world's largest Certificate Authority dropped OCSP, it rather make sense that enabling ssl_stapling based on the presence of the certificate chain should no longer be the default behaviour of nginx-proxy.

On acme-companion's side --ocsp-must-staple is related to the OCSP Must-Staple extension which is something distinct from enabling / disabling SSL stapling. It's not enabled by default.

[VincentSC]

We're now past the deadline, and I already got some problems when I moved a domain to another docker, and it failed to serve the certificate.

What is also important in this discussion, is that OCSP is replaced with CRL. And seemingly stapling works alike, from what I understand.

There is a mention of CRLs at https://github.com/nginx-proxy/nginx-proxy/tree/main/docs#certificate-revocation-list-crl but I simply don't get it, as it assumes certain knowledge. Since there is no mention in this repo, I assume there is no support for CRL-handling?

[buchdag]

and it failed to serve the certificate.

@VincentSC could you elaborate ? Beside a warning this should not prevent nginx to serve the certificate in any way.

The mention of CRL you saw in the nginx-proxy docs is for SSL client verification (mTLS). It's the same concept but applied to something slightly different.

Since there is no mention in this repo, I assume there is no support for CRL-handling?

CRL for public certificates isn't something that is implemented by the web server. It's the client (ie the web browser) responsibility to fetch publicly available CRLs and reject a public certificate that appears on a CRL.

https://en.wikipedia.org/wiki/Certificate_revocation_list

Browsers and other relying parties might use CRLs, or might use alternate certificate revocation technologies (such as OCSP or CRLSets (a dataset derived from CRLs) to check certificate revocation status.