Issue Potential issue with OCSP stapling

[Bitpalast]

Server operating system version

Alma 8

Plesk version and microupdate number

18.0.69 #3

On # nginx -t we are seeing lots of these lately:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/psa/var/certificates/scftPr4m0"

It means that the web server is configured to use OCSP stapling, but the SSL/TLS certificate used does not include an OCSP responder URL, so OCSP stapling cannot work. The SSL certificate does not contain an Authority Information Access (AIA) field with an OCSP URL, which is required for OCSP stapling. Without that, the server has no place to fetch the OCSP status from.

It seems that this affects all SSL certificates generated through the Plesk SSLIt extension. I am not sure whether this is a misconfiguration here or a bug, but given the large number of certs affected, I tend to think of it as a bug. The thing is, that previously that warning was not shown, e.g. several weeks ago. Something must have changed since then. Maybe an update? I am not sure when it started.

 

[King555]

Maybe it's because of this: Ending OCSP Support in 2025

 

[Bitpalast]

Thank you for the link! Very interesting. So it seems we've been very lucky that the web servers did not start hanging due to an impossible OCSP verification process as the verification servers went offline? Plesk should consider to update the extension and to remove the OCSP option from it.

 

[Sebahat.hadzhi]

Thank you for bringing that up. I know this case was previously discussed by our team, but, as of this point, I don't have a clear answer on what actions will be taken. I will follow up with more details shortly.

 

[King555]

Should I disable OCSP stapling for all domains right now to avoid failures when the automatic renewal occurs?

 

[Sebahat.hadzhi]

@King555 , I believe it shouldn't be an issue disabling OCSP stapling, but if your SSL renewal is not due in the upcoming few days, let me clarify that with our team first.

 

[ChristophRo]

The only (negative) effect that the OCSP stapling option has and ever can have, is a warning message when reloading or restarting the nginx webserver.
So yes, it may not be nice, but it will never break your system.

Btw. for self-signed certificates you'll get the same warning, as these certificates do also not contain an OCSP URL.

I do expect that Plesk will drop this menu option or at least remove it from their recommended preset.
Would be nice if the Panel would auto-detect the presence of an OCSP URL in the selected/active certificate and hide/remove the stapling option in these cases.

 

[Sebahat.hadzhi]

A bug with ID EXTSSLIT-2188 has been registered. I cannot provide any ETA yet. Our team confirmed that disabling OCSP Stapling holds no additional risks.

Until the fix is released, you can disable it:

1. For individual domains by toggling off "OCSP Stapling" in Domains > example.com > SSL/TLS certificates
2. For all domains by running:
   
   

   plesk bin site -l | while read i; do plesk ext sslit --ocsp-stapling -disable -domain $i; done