• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Issue Potential issue with OCSP stapling

At "SSL/TLS Certificate for..." the box "OCSP Stapling" is still present (Plesk Obsidian 18.0.75 Web Host Edition) by default is disabled but if
ssl_stapling on;
ssl_stapling_verify on;
are present it turns green with enabled state.
The error is what OP posted:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/usr/local/psa/var/certificates/....
All certificates ar from SSL it extension at plesk
 

Attachments

  • 1771238267968.png
    1771238267968.png
    53.7 KB · Views: 8
Thank you for the update. This is somehow expected. The ability to enable OCSP Stapling hasn't been completely excluded. However, the option should be greyed out if the installed certificate does not include the required URL. What SSL certificates are you using? Are there any steps to reproduce you can share with me so I can double-check whether I will be able to replicate the issue on a test environment? Thank you in advance.
 
Може да отговориш така (ясно и технически коректно):

When the certificate is installed, the OCSP Stapling option in the UI is greyed out, which is expected. However, if I manually add:
ssl_stapling on;
ssl_stapling_verify on;
under Apache & nginx Settings → Additional nginx directives, the option indicator turns green in the interface.

So from the UI perspective everything looks enabled and functional until I accidentally noticed the warning:
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

I assumed OCSP stapling was working correctly, because the UI shows it as enabled (green status).
Reproduction steps:
  1. Install a Let’s Encrypt certificate.
  2. Leave OCSP stapling disabled (option greyed out).
  3. Manually add:
    ssl_stapling on;
    ssl_stapling_verify on;
    in Additional nginx directives.
  4. The UI indicator turns green.
  5. Check nginx error log -> warning about missing OCSP responder URL.
So the issue is not that stapling cannot be enabled but it’s that the UI reflects configuration directives, not actual runtime capability, which can be misleading when the certificate lacks an OCSP responder URL.

 
We have some domains on our servers that had been using "ssl_stapling on;". They meanwhile display OCSP Stapling as disabled in the panel under SSL/TLS Certificate, but are still trying to connect to an OCSP responder that doesn't exist anymore. These requests go to the server itself (over lo) and result in a 404 error in /var/log/nginx/access.log:

<our-server-ip> - - [16/Apr/2026:00:17:49 +0200] "GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgO%2BIAeYCmF8CTzvHLlqsZJW0g%3D%3D HTTP/1.0" 404 196 "-" "-"

Unfortunately we can't disable OCSP stapling on these domains. Adding "ssl_stapling off;" to the Additional nginx directives doesn't stop it and "plesk bin site -l | while read i; do plesk ext sslit --ocsp-stapling -disable -domain $i; done" results in "Permission denied" with "exit status 1".

How can we solve this issue?
 
@Janko Falli

The statement

Janko Falli said:
So the issue is not that stapling cannot be enabled but it’s that the UI reflects configuration directives, not actual runtime capability, which can be misleading when the certificate lacks an OCSP responder URL.
Click to expand...

is not entirely correct, in a number of ways.


First of all, Plesk GUI should not "read" Nginx config and can hence not "reflect" that Nginx config.

If and when you get a green "UI indicator" by adding lines to the "Additional Nginx directives" .... and it becomes grey (read: not activated) after a warning in the Nginx error logs, then the whole point is that Nginx logs have been read and Nginx config is not.

Nevertheless, I cannot assume that your statement is not true (why should I?), but I can state that Plesk GUI SHOULD NOT "read" Nginx config (let alone the Nginx config provided in the Additional Nginx directives) and consequently "think" that all is fine and that OCSP is activated.

The emphasis is on "should" - one would have to imagine a world where one can input something into Plesk and Plesk then considering it as "fine and ok" : well, it simply is not and should not be ok.


Secondly, OCSP stapling can be enabled and OCSP as a method can work, but not for Let's Encrypt ......... but OCSP stapling support has been terminated for Let's Encrypt : all Let's Encrypt OCSP responders have been shutdown as of August 6, 2025.

The latter has two implications, being that

1 - old LE certificates with OCSP cannot be checked against an OCSP responder : the Nginx directive ssl_stapling_verify on; will cause an error notification,

2 - new LE certificates are issued without OCSP : the Nginx directives ssl_stapling on; and ssl_stapling_verify on; will cause error notifications,

and hence, when using LE certificates, the ssl_stapling directives do not add value to the Nginx config, they only cause minor warnings.

However, even though the error notifications are warnings that can be ignored, it is highly recommend to remove all ssl_stapling directives from Nginx.


Thirdly, the actual confusing or misleading part of having a "enable OCSP button" in Plesk is simply the fact that this button should not be there, if and when working with LE certificates or other certificates that do not support OCSP stapling.

In my humble opinion, there are a lot of "bad things" in the Plesk GUI and SSL it! extension that can cause havoc when using and issuing new certificates.

This "OCSP button" is only one of them, a minor one ........... one that can safely be ignored, with time saved better spent on other certificate related issues.


In short, you might have - correctly - identified a number of issues with Plesk, being (amongst others) that

a) Plesk apparently "thinks" that deprecated configuration (such as OCSP stapling) can be activated,

b) Plesk apparently "thinks" that adding text related to deprecated configuration in "Additional Nginx directives" can activate that configuration (DANGER!!!),

c) Plesk apparently does not scan (combinations of) configuration for incapabilities (DANGER!!!!)

but you are - incorrect - by focusing on OCSP Stapling with LE certificates : the support therefore has ended already.


Nevertheless, I do want to thank you for pointing out how the lack of a simple test, being a script or lines of code focusing on

- disabling the OCSP stapling button when LE certificates are used, AND
- automatic renewal of LE certificates if they somehow contain OCSP rules, AND
- automated checks and tests of manual input in "Additional Nginx directives" (or "Additional Apache directives"), AND
- prevention of entries of aforementioned input that consists of directives that are related to deprecated config, AND
- prevention of entries of aforementiond input that can cause security issues (for instance when following online "advice"),
- and so on,

should be developed by Plesk Team and introduced as soon as possible.


Kind regards...

DISCLAIMER : I did not have a look into this matter, since a change in policy of development licenses requires me to spend more time on migrating Plesk test servers than I would like to spend. I did not test the "green OCSP button phantom". However, if and when this OCSP button shows as green due to a simple entry in Nginx config (via Addition Nginx directives or otherwise), then that would be highly ridiculous and extremely dangerous for those hosting providers that use Plesk GUI to allow their customers access to a hosting environment where Nginx directives can be added or augmented.
 
@La Linea

La Linea said:
Unfortunately we can't disable OCSP stapling on these domains.
Click to expand...

You can and you should.

Simply replace the certificates with new ones that do not contain OCSP rules AND remove all Nginx ssl_stapling related directives.

The

La Linea said:
and "plesk bin site -l | while read i; do plesk ext sslit --ocsp-stapling -disable -domain $i; done" results in "Permission denied" with "exit status 1".
Click to expand...

can be related to (insufficient) privileges, but if I am not mistaken, then the command should be limited to domains alone (read: EXCLUDING subdomains).

I am not a fan of the SSL It! extension, since it does not act as expected in many ways and situations, so please doublecheck the results of any command!!!

Kind regards........
 
You must log in or register to reply here.

Similar threads

N
Issue 421 Misdirected Request on Apache-only Plesk server after recent Apache update (CVE-2025-23048)
Replies
2
Views
7K
NatuurlijkHosting
N
Bitpalast
Forwarded to devs SSL auto-renewal attemps do not stop after removing cert and disabling SSL
Replies
6
Views
3K
Sebahat.hadzhi
Sebahat.hadzhi
B
Issue Unable to issue a Let's Encrypt certificate for domain with forwarding hosting type: nginx is not installed or is disabled on the Plesk server
Replies
1
Views
2K
Sebahat.hadzhi
Sebahat.hadzhi
P
Input Issues with Google DNS and name resolution of Let's Encrypt OSCP servers -> hanging Nginx reload and "nginx -t"
Replies
4
Views
5K
thinkjarvis
T
T
Potential bug - Inactive domains, Ssl It extension and Nginx SSL stapling warning
Replies
2
Views
4K
trialotto
T
Back
Top