Issue Potential issue with OCSP stapling

[Bitpalast]

Server operating system version

Alma 8

Plesk version and microupdate number

18.0.69 #3

On # nginx -t we are seeing lots of these lately:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/psa/var/certificates/scftPr4m0"

It means that the web server is configured to use OCSP stapling, but the SSL/TLS certificate used does not include an OCSP responder URL, so OCSP stapling cannot work. The SSL certificate does not contain an Authority Information Access (AIA) field with an OCSP URL, which is required for OCSP stapling. Without that, the server has no place to fetch the OCSP status from.

It seems that this affects all SSL certificates generated through the Plesk SSLIt extension. I am not sure whether this is a misconfiguration here or a bug, but given the large number of certs affected, I tend to think of it as a bug. The thing is, that previously that warning was not shown, e.g. several weeks ago. Something must have changed since then. Maybe an update? I am not sure when it started.

 

[King555]

Maybe it's because of this: Ending OCSP Support in 2025

 

[Bitpalast]

Thank you for the link! Very interesting. So it seems we've been very lucky that the web servers did not start hanging due to an impossible OCSP verification process as the verification servers went offline? Plesk should consider to update the extension and to remove the OCSP option from it.

 

[Sebahat.hadzhi]

Thank you for bringing that up. I know this case was previously discussed by our team, but, as of this point, I don't have a clear answer on what actions will be taken. I will follow up with more details shortly.

 

[King555]

Should I disable OCSP stapling for all domains right now to avoid failures when the automatic renewal occurs?

 

[Sebahat.hadzhi]

@King555 , I believe it shouldn't be an issue disabling OCSP stapling, but if your SSL renewal is not due in the upcoming few days, let me clarify that with our team first.

 

[ChristophRo]

The only (negative) effect that the OCSP stapling option has and ever can have, is a warning message when reloading or restarting the nginx webserver.
So yes, it may not be nice, but it will never break your system.

Btw. for self-signed certificates you'll get the same warning, as these certificates do also not contain an OCSP URL.

I do expect that Plesk will drop this menu option or at least remove it from their recommended preset.
Would be nice if the Panel would auto-detect the presence of an OCSP URL in the selected/active certificate and hide/remove the stapling option in these cases.

 

[Sebahat.hadzhi]

A bug with ID EXTSSLIT-2188 has been registered. I cannot provide any ETA yet. Our team confirmed that disabling OCSP Stapling holds no additional risks.

Until the fix is released, you can disable it:

1. For individual domains by toggling off "OCSP Stapling" in Domains > example.com > SSL/TLS certificates
2. For all domains by running:
   
   

   plesk bin site -l | while read i; do plesk ext sslit --ocsp-stapling -disable -domain $i; done

 

[Bitpalast]

The only (negative) effect that the OCSP stapling option has and ever can have, is a warning message when reloading or restarting the nginx webserver.
So yes, it may not be nice, but it will never break your system.

Not really. One problem is that when the servers are unresponsive yet the webserver for some reason might still want to address them, on systems with many websites an Nginx reload or restart will hang and eventually run into a timeout. In other words: The web server might not restart. This was a known issue once when some nameservers stopped resolving their OCSP server domain names.

Another problem is shown here: Issue - Certificate verification failed
The cause for that is the missing OCSP response, so some users are unable to update components of their OS at this time.

Would be nice if the Panel would auto-detect the presence of an OCSP URL in the selected/active certificate and hide/remove the stapling option in these cases.

Absolutely necessary!

All in all I think it is safe to call turning of OCSP service is a stupid decision by Let's Encrypt. And it foreshadows a path we don't want to see: That sooner or later the whole free SSL project will stop, forcing hundreds of millions of users to buy overpriced certificates from commercial vendors again.

 

[trialotto]

A bug with ID EXTSSLIT-2188 has been registered. I cannot provide any ETA yet. Our team confirmed that disabling OCSP Stapling holds no additional risks.

Until the fix is released, you can disable it:

1. For individual domains by toggling off "OCSP Stapling" in Domains > example.com > SSL/TLS certificates
2. For all domains by running:
   

@Sebahat.hadzhi

This is a "workaround" and NOT a solution.

In fact, @Bitpalast was right by stating that it is a bug.


The error notifications resulting from nginx are the result of failures related to the OCSP Must Staple extension, as can be deducted from

• May 7, 2025
  • Prior to this date we will have added CRL URLs to certificates
  • On this date we will drop OCSP URLs from certificates
  • On this date all requests including the OCSP Must Staple extension will fail
• August 6, 2025
  • On this date we will turn off our OCSP responders

implying that

1 - responses from the OCSP service should still work,

2 - responses should not lead to error notifications, UNLESS OCSP Must Staple extension is activated.


The bug here is that the OCSP Must Staple extension is activated, even though OCSP Stapling would - in most cases - work without that extension.


Another bug here is that OCSP is used, even though CRL could have been used by Plesk since 2022 !!!


In my humble opinion, it should have been predictable that CRL would replace OCSP and that Plesk should have adapted the SSL it extension.

When working on a "fix", try to make sure that the CRL mechanism is - finally - used by the SSL it extension.


Kind regards.....

 

[trialotto]

@Everyone,

This statement

Not really. One problem is that when the servers are unresponsive yet the webserver for some reason might still want to address them, on systems with many websites an Nginx reload or restart will hang and eventually run into a timeout. In other words: The web server might not restart. This was a known issue once when some nameservers stopped resolving their OCSP server domain names.

might be a bit confusing.

First of all, OCSP related issues concern all web servers, at least in theory and - in most cases - also in practice.

Plesk essentially comes with two flavors of web servers : Apache and stand-alone Nginx.

Nginx can be a stand-alone web server OR a reverse proxy (in front of the web server) : in most usage scenarios, Nginx is a reverse proxy.

The current OCSP issue is - factually - limited to Nginx error notifications.

This simply means that Nginx, as a stand-alone Nginx instance OR a reverse proxy, is giving some notifications.

If Nginx is a reverse proxy, then the part "the web server might not restart" is not correct : Nginx (as reverse proxy) will restart!

If Nginx is a stand-alone web server, then Nginx (as stand-alone web server) will - often - restart : only in highly exceptional cases, restart will fail.

If Apache is the web server ......... well, then failures to restart are to be expected.


In summary, it is important to know whether you use Nginx as a reverse proxy or a stand-alone web server.

A clear distinction should be made between the two of them, since the likelihood on and amplitude of (potential) OCSP related issues are completely different between the stand-alone Nginx and the Nginx as a reverse proxy.


This statement

All in all I think it is safe to call turning of OCSP service is a stupid decision by Let's Encrypt. And it foreshadows a path we don't want to see: That sooner or later the whole free SSL project will stop, forcing hundreds of millions of users to buy overpriced certificates from commercial vendors again.

is both right and wrong.

Let's Encrypt made an excellent decision, when (only) looking at the security aspect of OCSP Stapling, since the CA (Certificate Authority) can and WILL gather all kinds of information that you do not want to share with the CA.

Moreover, Let's Encrypt does not mention the - relevant - fact that any CA will become more and more a SPOF (Single Point of Failure) in a system that should increase (and not reduce) security : any hack of any CA will expose lots of information (and this has happened before).

People should make a trade-off when deciding to turn OCSP Stapling on OR off : security will increase by the OCSP mechanism itself, but security will also decrease by allowing the CA to gather information that should be private.

What makes Let's Encrypt's decision excellent?

Well, the simple fact that they do not want to be legally obliged to store specific information ....... with that kind of motive, one could really not object to a decision that involves shutdown of OCSP Stapling.

What makes Let's Encrypt decision a bit less ideal?

Well, if OCSP Stapling is replaced by CRLs (at Let's Encrypt) and other mechanisms (from other companies) .......... then there is uncertainty about what the new industry standard is going to be AND there is space for specific companies to enforce their method as the industry standard.

It is not going to happen that the free SSL projects will stop.

It is also barely relevant.

Nevertheless, it will become relevant that other companies will offer free or cheap SSL certificates.

And there lies the actual problem.

Consider Google ..... offering alternatives to Let's Encrypt (free) SSL certificates would leave us with Google as the CA - without doubt, all data will be used for tracking purposes, which is the core business of companies like Google.

The decision of Let's Encrypt is excellent and honest, but it also will result in space for other (less honest) companies to go into the SSL certificate business.


In my humble opinion, we should not worry about the decision of Let's Encrypt, but we should about the consequences of that decision.

No, it is not very likely that free SSL certificates will become a "thing of the past".

Yes, it is very likely that commercial motives will enter the domain of both paid-for and free SSL certificates - there will always be an incentive to earn money with data gathered, if that data can be gathered - for instance, by becoming a CA that is legally obliged to store specific data.

Nevertheless, even though there might be companies wanting to leap into the market that is partially abandoned by Let's Encrypt, it is still safe to say that all mechanisms (like CRLs) provided by Let's Encrypt are better than the alternatives - Let's Encrypt simply is a more honest project / company.


All of the above is just some food for thought!

Kind regards ...

 

[Sebahat.hadzhi]

@trialotto , thank you for the input. It is forwarded to our team for further review.

I believe in the scope of this bug report it is planned to rework the extension logic so it will automatically disable OCSP stapling and will not allow it to be enabled if the certificate does not have an OCSP responder URL. I will double-check if we plan on introducing CRL support along with it and I will follow up on that next week.

 

[trialotto]

@trialotto , thank you for the input. It is forwarded to our team for further review.

I believe in the scope of this bug report it is planned to rework the extension logic so it will automatically disable OCSP stapling and will not allow it to be enabled if the certificate does not have an OCSP responder URL. I will double-check if we plan on introducing CRL support along with it and I will follow up on that next week.

@Sebahat.hadzhi

The CRL implementation is a bit tricky.

Let me explain in the most simplest of terms, for the benefit of all Plesk Forum users and for the general understanding of OCSP and its alternative, the CRLs.


OCSP is effective, in the sense that it is - simply stated - equivalent to : "one CRL per certificate".

CRL is a (full) list of all certificates that are revoked.

CRLs are tricky in the sense that they are "(complete) lists per CA".

CRL would become very inefficient if that list would contain hundreds of millions of revoked certificates - this is actually the case for many CAs.

In the past, a solution has already been presented to overcome this inefficiency of CRLs.


A (general) solution is browser-based CRLs, which are supported by all (or most) modern browsers.

This solution (or approach to a solution) is highly browser-specific.

Nevertheless, there has been a tendency (or force) to push centralization - a tendency enforced from the start by Apple (Safari) and Mozilla (Firefox).

Not sure whether the CCADB can resolve the inefficiency of huge CRLs by distributing URLs to those CRLs of each CA, but it might help a bit.


In general, the term "browser-based" - luckily - implies : no need to worry, no need to implement something "on the server side".


The whole problem here is that one diverges from "efficiency" (read: OCSP, one CRL per certificate) to "less efficiency" (read: CRLs, as such huge lists).

Sure, OCSP stapling can be disabled - but it is not wise, as long as the OCSP is still running : it is the most efficient way to check for revocation.

Sure, not allowing OCSP stapling if the certificate does not have OCSP responder URL, that seems to be logical : is it?!?

The answer to that last question : no, it probably is not, but we will have to, since the OCSP responder URL will disappear from the Let's Encrypt certificates.


People have been dealing with the error notification "no OCSP responder URL found" in the past, with some (odd) workaround as a result.

One of the workarounds has been to use some certificates that were installed "server-side" - not wise, in terms of security, but it works.

This particular workaround can also provide a suggestion for Plesk Team to implement CRL support on the server-side : if one really wants to do a check on the server-side, one could consider to maintain CRLs on the server.

It sounds a bit obsolete, if browser-based CRLs are supported, right?

It actually is not .... server-side CRLs can help logging valuable information that would otherwise not be gathered (since only present on the browser-side).

More importantly, server-side CRLs can speed up processes and increase security considerably.


In summary, CRL implementation can be a bit tricky.

It is not about the technical implementation, which should be quite straightforward.

It is tricky in the sense that one has to - carefully - consider the objectives that one wants to achieve, whilst making a good trade-off with has to be done on the server-side and what has to be done on the browser-side.


All of the above is food for thought.

To give Plesk Team some more food for thought, I simply want to mention that - especially - Nginx can be used to create a "OCSP alike" mechanism with one CRL per certificate on the server-side, for all certificates used on that server (and the remainder, if any, should rely on browser-based CRLs).

In my humble opinion, the latter option could be (or should be) investigated.


Kind regards....

 

[mow]

Let's Encrypt made an excellent decision, when (only) looking at the security aspect of OCSP Stapling, since the CA (Certificate Authority) can and WILL gather all kinds of information that you do not want to share with the CA.

Isn't OCSP Stapling explicitly designed to prevent the CA gathering user information, which it would get if each browser would have to connect some revocation database on their own instead of the webserver doing it for them and deliver the recent revocation status stapled to the certificate, so that said database only sees the IP of the webserver which it would know anyway?

 

[trialotto]

Isn't OCSP Stapling explicitly designed to prevent the CA gathering user information, which it would get if each browser would have to connect some revocation database on their own instead of the webserver doing it for them and deliver the recent revocation status stapled to the certificate, so that said database only sees the IP of the webserver which it would know anyway?

@mow,

Well, yes and no.

The original idea (or concept) was - essentially - to increase security : making information available that allows the identification of "unsafe" certificates, with the "(advantageous) byproduct" of additional minimization of the attack surface by means a reduction of sensitive information being exchanged.

So yes, the intention was "prevention", but that was not really the primary objective - it was, so to speak, a "byproduct" by design.

But no, any OCSP service designed to be responding to requests is not equal to minimization of the attack service - OCSP Stapling by design is not more or less safe : it will increase the attack vectors, which - ironically - also include information that would normally be considered as "safe" (and actually is "unsafe").

For instance, having knowledge of revoked certificates is (one the hand) a validation method of "safe" certificates and (on the other hand) an information source.

A source of information that can be used or, if you will, misused.

Use (or misuse) can take place everywhere in all separate steps of certificate authentication, notably on all sides where these steps are occurring.

Use (or misuse) is hence not limited to the CAs.

Nevertheless, the irony is that the CAs have to gather the information, in order to make the (design of) OCSP stapling work - the CAs will get data with all kinds of requests and this data is stored in order to make OCSP stapling a viable (validation) process.

One of the solutions to the requirement that CAs will have to gather information is that CAs do not store the obtained data permanently.

With that possibility (read: not storing data permanently) in mind, OCSP stapling was designed as the (proper) method of validation of "safe" certificates, by eliminating "unsafe" certificates, amongst which revoked certificates.

If you ask me, it is a choice in the light of efficiency (otherwise OCSP stapling would be rather inefficient and unmanageable) for most CAs, but some CAs did agree with the OCSP stapling design for other reasons - they wanted to gather data and some CAs did not really have "nice objectives or intentions".

Let's Encrypt was one of the CAs with good intentions, essentially looking for a good system, with "good" being defined by the limitations of the system.

However, that possibility (read: not storing data permanently) is more and more absent.

The simple fact is that some CAs are simply obliged by law to gather and store data ...... and even share this data with governmental bodies.


In summary, Let's Encrypt seems to have made an excellent decision in the sense that they sticked to their firm belief that it is not the role of the CA to gather and store data - they are still aiming at "prevention" (where and whenever possible).

So, yes, any design might have a specific intention, like prevention of data gathering (by CAs or other parties).

However, also a no, since the nature and limitations of any design and/or changes in applicable law might simply change the implications and consequences of any design, hence creating a discrepancy between the original intention and the factual implications/consequences.


OCSP stapling might have been a good concept with a flawed design that could be improved to combat misuse by those parties that wanted to gather information ......

....... but it became rather clear that that good concept was already doomed from 2022, when the deliberate choice was made to actively maintain CRLs and even push the usage of those CRLs.

In my humble opinion, it remains strange to note that the companies and governments that we rely upon for safety ..... are using "safety mechanisms" to get information - I am not sure whether there is perfect causality between information and safety.


Kind regards...

 

[mow]

@mow,

Well, yes and no.

The original idea (or concept) was - essentially - to increase security : making information available that allows the identification of "unsafe" certificates, with the "(advantageous) byproduct" of additional minimization of the attack surface by means a reduction of sensitive information being exchanged.

So yes, the intention was "prevention", but that was not really the primary objective - it was, so to speak, a "byproduct" by design.

That's not what I heard.
What I understand how it went like (see also OCSP stapling - Wikipedia):

• Early SSL-supporting browsers only checked the certificate chain.
• Checking the certificate status requires extra data.
• If the browser connects somewhere to check the validity, in this case the CA's OCSP server, it will get the most recent data, but this somewhere will be a) swamped with requests, which could be a problem for small CAs b) able to collect which IP addresses are requesting certificate data for which certificate.
• So there was the idea that the webserver should connect to its CA to get a signed, timestamped confirmation that the certificate was valid at this time, and would deliver it to the browser tacked on the certificate. This means there is a time window where the certificate in question could be revoked, but the browser still trusts it until it decides the timestamp is too old, however the advantages are that this a) will only put a small extra load on the CA's server b) the CA can't collect client data this way as the client doesn't need to connect them c) clients can't be stealth-blocked by blocking access to OCSP responders d) the webserver will be able to deliver the status confirmation until the timestamp runs out.

But no, any OCSP service designed to be responding to requests is not equal to minimization of the attack service - OCSP Stapling by design is not more or less safe : it will increase the attack vectors, which - ironically - also include information that would normally be considered as "safe" (and actually is "unsafe").
For instance, having knowledge of revoked certificates is (one the hand) a validation method of "safe" certificates and (on the other hand) an information source.

A source of information that can be used or, if you will, misused.

But you need to get that information somehow if you want to be able to revoke certificates at all.

 

[trialotto]

@mow

First of all, thank you for the reply - I like this kind of in-depth discussions, since they do add value, even to the Plesk forum.

In my humble opinion, a rock-solid discussion is a good starting point to come to a roadmap for future development ..... come to something in agreement.

In essence, this is often what lacks in terms of Plesk development : certain things are to be expected, but still not anticipated.

For instance, the current (annoying) issue with OCSP stapling is one the "things not anticipated", even though it could have been expected since 2022.


The statement

But you need to get that information somehow if you want to be able to revoke certificates at all.

is a bit lopsided, in the sense that revocation is not a process.

Revocation is simply the endresult of renewal a specific certificate.

Revocation is hence a product of the process of renewal.

More importantly, revocation by design (and intention) is a product that allows for security checks.

In theory, there is no need to do anything with revoked certificates, since the process of renewal would simply suffice.

In practice, there is a desire (not a need) to do something with revoked certificates, since that can increase security by various methods - for instance, dbases with revoked certificates allow for "easy" validity checking and/or allow for identifying abuse of certificates (for malicious purposes).

Nevertheless, a desire is totally different from a need.

In addition, desires are mostly driven by other objectives, which objectives might be commercial (i.e. related to efficiency and lower cost, not to security).


In every way, all new developments are to some degree subject to a commercial goal related to "obtaining or maintaining market share".

The big debate between (original) OCSP and OCSP Stapling was more or less a battlefield for market share between browsers .... and to a lesser degree, between larger and smaller CAs with less resources and hence bigger difficulties to satisfy the (original) OCSP requirements, since (original) OCSP can be deemed to be associated with a bigger number of requests than OCSP Stapling.


Moreover, all new developments are prone to one party or a group of parties dominating the roadmap of development.

OCSP Stapling has been presented as the solution to some well-known issues with (original) OCSP and pushed as a solution by many parties.

However, this is actually solving a problem, without noticing the root cause of the problem.


The actual root cause of the problem is a combination of the factors that

1 - all expired certificates can be considered as "unvalid" (and CRLs are the solution to that, since CRLs contain a lot of information)

2 - not all unexpired certificates are "valid" (and the only solution to that is composed of validation requests with the CA)

3 - unexpired certificates can be stored as revoked certificates (and both original OCSP and OCSP Stapling are a solution to that)

4 - revoked certificates can be checked efficiently by means of OCSP Stapling (since original OCSP is just as demanding as regular validation methods)

5 - OCSP Stapling data does not include a lot of data (and CRLs do, so CRLs are to be preferred)

6 - OCSP Stapling data only includes data about validity (or revocation) FROM THE LAST TIME the OCSP service has been contacted

7 - OCSP Stapling can create a small or big time frame in which a certificate may seem to be valid (but actually is not)

8 - OCSP Stapling is just as good (or safe) as the client contacting the OCSP service (and some clients only check for revocation, not for validity)


In summary, there is a big desire (or even need) to prevent huge numbers of requests with the CAs and OCSP Stapling was proposed as a solution.


However, there are considerable underlying problems when focusing on "revoked certificates" with either OCSP or OCSP Stapling.

Even though (original) OCSP and OCSP Stapling create efficiency in the sense that

a) the number of requests with the CA is narrowed down to unexpired certificates,

b) the number of requests with (original) OCSP is narrowed down to expired certificates, with requests being less demanding than CRL requests,

c) the number of requests with OCSP Stapling is narrowed down to expired certificates, with requests being less demanding than (original) OCSP requests,

there still is the concern of safety and security, related to the time frame in which a certificate may seem valid (but actually might not be valid).


The latter security issue really depends on the implementation used, i.e. the client.

For instance, Let's Encrypt / SSL it! extension in Plesk - essentially - uses OCSP Stapling to determine the time at which a certificate has to be renewed.

There is a desire to do that, but there is no need to implement it in a different way : most browsers still use CRL based validation methods, implying that any certificate that is renewed on time by Plesk will be accepted by a browser (since the renewed certificate is not in a CRL).

As another example, using OCSP Stapling (or OCSP) to determine whether the certificate has been revoked, does not imply that you check for validity : in all cases, a validity check with the CA still has to be done in order to establish validity of the certificate.

There is a need to do that validity check, since unexpired certificates are NOT automatically valid.

The latter need also becomes clear when one realizes that OCSP Stapling will result in a (small or big) time window in which a certificate can seem valid.


In general, there is always a need (not a desire) to check for validity with the CA.

In my humble opinion, moving far away from validity checks by emphasizing revocation checks is wrong by nature and design.

And we are all exposed to the consequences thereof, as has become painfully clear when one Microsoft certificate was issued to an unknown person.

Deciding to impose CAs with a lesser burden for the sake of efficiency for only those CAs, that is a very odd and wrong trade-off between public security and commercial gain as a result of increased efficiency and associated lower costs.

I have never been a fan of (original) OCSP, given the presence of CRLs ...... and could not be a fan of OCSP Stapling, for many reasons.

It really should be a process of "check" (revocation) and "double check" (validity).


Kind regards....

PS I am not mentioning, for the sake of convenience and clarity, that OCSP Stapling and/or OCSP are significantly affecting security in many ways that are or can be very negative. OCSP Stapling or (original) OCSP are intended and designed to have a positive effect on security, but the opposite is also true. In a brief nutshell, the dynamic nature of OCSP and OCSP Stapling allows for "certificate data harvesting" with that data making it more "easy" (read: not easy, but not impossible) to hack and/or falsify certificates. CRLs have a similar disadvantage to a much lesser degree, due to the static nature of CRLs. Difficult topic!

PS 2 For the sake of convenience, I am not quoting the four points mentioned by @mow, since they should be addressed to a high degree in all of the above.