Issue Potential issue with OCSP stapling

[Bitpalast]

Server operating system version

Alma 8

Plesk version and microupdate number

18.0.69 #3

On # nginx -t we are seeing lots of these lately:

nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/psa/var/certificates/scftPr4m0"

It means that the web server is configured to use OCSP stapling, but the SSL/TLS certificate used does not include an OCSP responder URL, so OCSP stapling cannot work. The SSL certificate does not contain an Authority Information Access (AIA) field with an OCSP URL, which is required for OCSP stapling. Without that, the server has no place to fetch the OCSP status from.

It seems that this affects all SSL certificates generated through the Plesk SSLIt extension. I am not sure whether this is a misconfiguration here or a bug, but given the large number of certs affected, I tend to think of it as a bug. The thing is, that previously that warning was not shown, e.g. several weeks ago. Something must have changed since then. Maybe an update? I am not sure when it started.

 

[King555]

Maybe it's because of this: Ending OCSP Support in 2025

 

[Bitpalast]

Thank you for the link! Very interesting. So it seems we've been very lucky that the web servers did not start hanging due to an impossible OCSP verification process as the verification servers went offline? Plesk should consider to update the extension and to remove the OCSP option from it.

 

[Sebahat.hadzhi]

Thank you for bringing that up. I know this case was previously discussed by our team, but, as of this point, I don't have a clear answer on what actions will be taken. I will follow up with more details shortly.

 

[King555]

Should I disable OCSP stapling for all domains right now to avoid failures when the automatic renewal occurs?

 

[Sebahat.hadzhi]

@King555 , I believe it shouldn't be an issue disabling OCSP stapling, but if your SSL renewal is not due in the upcoming few days, let me clarify that with our team first.

 

[ChristophRo]

The only (negative) effect that the OCSP stapling option has and ever can have, is a warning message when reloading or restarting the nginx webserver.
So yes, it may not be nice, but it will never break your system.

Btw. for self-signed certificates you'll get the same warning, as these certificates do also not contain an OCSP URL.

I do expect that Plesk will drop this menu option or at least remove it from their recommended preset.
Would be nice if the Panel would auto-detect the presence of an OCSP URL in the selected/active certificate and hide/remove the stapling option in these cases.

 

[Sebahat.hadzhi]

A bug with ID EXTSSLIT-2188 has been registered. I cannot provide any ETA yet. Our team confirmed that disabling OCSP Stapling holds no additional risks.

Until the fix is released, you can disable it:

1. For individual domains by toggling off "OCSP Stapling" in Domains > example.com > SSL/TLS certificates
2. For all domains by running:
   
   

   plesk bin site -l | while read i; do plesk ext sslit --ocsp-stapling -disable -domain $i; done

 

[Bitpalast]

The only (negative) effect that the OCSP stapling option has and ever can have, is a warning message when reloading or restarting the nginx webserver.
So yes, it may not be nice, but it will never break your system.

Not really. One problem is that when the servers are unresponsive yet the webserver for some reason might still want to address them, on systems with many websites an Nginx reload or restart will hang and eventually run into a timeout. In other words: The web server might not restart. This was a known issue once when some nameservers stopped resolving their OCSP server domain names.

Another problem is shown here: Issue - Certificate verification failed
The cause for that is the missing OCSP response, so some users are unable to update components of their OS at this time.

Would be nice if the Panel would auto-detect the presence of an OCSP URL in the selected/active certificate and hide/remove the stapling option in these cases.

Absolutely necessary!

All in all I think it is safe to call turning of OCSP service is a stupid decision by Let's Encrypt. And it foreshadows a path we don't want to see: That sooner or later the whole free SSL project will stop, forcing hundreds of millions of users to buy overpriced certificates from commercial vendors again.

 

[trialotto]

A bug with ID EXTSSLIT-2188 has been registered. I cannot provide any ETA yet. Our team confirmed that disabling OCSP Stapling holds no additional risks.

Until the fix is released, you can disable it:

1. For individual domains by toggling off "OCSP Stapling" in Domains > example.com > SSL/TLS certificates
2. For all domains by running:
   

@Sebahat.hadzhi

This is a "workaround" and NOT a solution.

In fact, @Bitpalast was right by stating that it is a bug.


The error notifications resulting from nginx are the result of failures related to the OCSP Must Staple extension, as can be deducted from

• May 7, 2025
  • Prior to this date we will have added CRL URLs to certificates
  • On this date we will drop OCSP URLs from certificates
  • On this date all requests including the OCSP Must Staple extension will fail
• August 6, 2025
  • On this date we will turn off our OCSP responders

implying that

1 - responses from the OCSP service should still work,

2 - responses should not lead to error notifications, UNLESS OCSP Must Staple extension is activated.


The bug here is that the OCSP Must Staple extension is activated, even though OCSP Stapling would - in most cases - work without that extension.


Another bug here is that OCSP is used, even though CRL could have been used by Plesk since 2022 !!!


In my humble opinion, it should have been predictable that CRL would replace OCSP and that Plesk should have adapted the SSL it extension.

When working on a "fix", try to make sure that the CRL mechanism is - finally - used by the SSL it extension.


Kind regards.....

 

[trialotto]

@Everyone,

This statement

Not really. One problem is that when the servers are unresponsive yet the webserver for some reason might still want to address them, on systems with many websites an Nginx reload or restart will hang and eventually run into a timeout. In other words: The web server might not restart. This was a known issue once when some nameservers stopped resolving their OCSP server domain names.

might be a bit confusing.

First of all, OCSP related issues concern all web servers, at least in theory and - in most cases - also in practice.

Plesk essentially comes with two flavors of web servers : Apache and stand-alone Nginx.

Nginx can be a stand-alone web server OR a reverse proxy (in front of the web server) : in most usage scenarios, Nginx is a reverse proxy.

The current OCSP issue is - factually - limited to Nginx error notifications.

This simply means that Nginx, as a stand-alone Nginx instance OR a reverse proxy, is giving some notifications.

If Nginx is a reverse proxy, then the part "the web server might not restart" is not correct : Nginx (as reverse proxy) will restart!

If Nginx is a stand-alone web server, then Nginx (as stand-alone web server) will - often - restart : only in highly exceptional cases, restart will fail.

If Apache is the web server ......... well, then failures to restart are to be expected.


In summary, it is important to know whether you use Nginx as a reverse proxy or a stand-alone web server.

A clear distinction should be made between the two of them, since the likelihood on and amplitude of (potential) OCSP related issues are completely different between the stand-alone Nginx and the Nginx as a reverse proxy.


This statement

All in all I think it is safe to call turning of OCSP service is a stupid decision by Let's Encrypt. And it foreshadows a path we don't want to see: That sooner or later the whole free SSL project will stop, forcing hundreds of millions of users to buy overpriced certificates from commercial vendors again.

is both right and wrong.

Let's Encrypt made an excellent decision, when (only) looking at the security aspect of OCSP Stapling, since the CA (Certificate Authority) can and WILL gather all kinds of information that you do not want to share with the CA.

Moreover, Let's Encrypt does not mention the - relevant - fact that any CA will become more and more a SPOF (Single Point of Failure) in a system that should increase (and not reduce) security : any hack of any CA will expose lots of information (and this has happened before).

People should make a trade-off when deciding to turn OCSP Stapling on OR off : security will increase by the OCSP mechanism itself, but security will also decrease by allowing the CA to gather information that should be private.

What makes Let's Encrypt's decision excellent?

Well, the simple fact that they do not want to be legally obliged to store specific information ....... with that kind of motive, one could really not object to a decision that involves shutdown of OCSP Stapling.

What makes Let's Encrypt decision a bit less ideal?

Well, if OCSP Stapling is replaced by CRLs (at Let's Encrypt) and other mechanisms (from other companies) .......... then there is uncertainty about what the new industry standard is going to be AND there is space for specific companies to enforce their method as the industry standard.

It is not going to happen that the free SSL projects will stop.

It is also barely relevant.

Nevertheless, it will become relevant that other companies will offer free or cheap SSL certificates.

And there lies the actual problem.

Consider Google ..... offering alternatives to Let's Encrypt (free) SSL certificates would leave us with Google as the CA - without doubt, all data will be used for tracking purposes, which is the core business of companies like Google.

The decision of Let's Encrypt is excellent and honest, but it also will result in space for other (less honest) companies to go into the SSL certificate business.


In my humble opinion, we should not worry about the decision of Let's Encrypt, but we should about the consequences of that decision.

No, it is not very likely that free SSL certificates will become a "thing of the past".

Yes, it is very likely that commercial motives will enter the domain of both paid-for and free SSL certificates - there will always be an incentive to earn money with data gathered, if that data can be gathered - for instance, by becoming a CA that is legally obliged to store specific data.

Nevertheless, even though there might be companies wanting to leap into the market that is partially abandoned by Let's Encrypt, it is still safe to say that all mechanisms (like CRLs) provided by Let's Encrypt are better than the alternatives - Let's Encrypt simply is a more honest project / company.


All of the above is just some food for thought!

Kind regards ...

 

[Sebahat.hadzhi]

@trialotto , thank you for the input. It is forwarded to our team for further review.

I believe in the scope of this bug report it is planned to rework the extension logic so it will automatically disable OCSP stapling and will not allow it to be enabled if the certificate does not have an OCSP responder URL. I will double-check if we plan on introducing CRL support along with it and I will follow up on that next week.