rss
June 13, 2025

Disable OCSP on an Nginx web server so you can renew Let’s Encrypt certificates

Let’s Encrypt no longer supports OCSP.

A few years ago, I had configured my Nginx web server with OCSP.

Now that OCSP is no longer valid, the cron job renewing Let’s Encrypt certificates fails.

To fix this, I did the following.

I turned off these two parameters in nginx.conf:

ssl_stapling off
ssl_stapling_verify off

Then I had to revoke the certificates of each website, then issue a new certificate.

When certificate was already expired, I did not have to revoke it.

I ran:

# certbot revoke --cert-path /etc/letsencrypt/archive/${YOUR_DOMAIN}/cert1.pem

or whichever cert[number].pem is valid.

Then:

# certbot certonly --webroot -w /var/www/example.com --dry-run  --rsa-key-size 4096 --agree-tos -w /var/www/letsencrypt -d example.com --register-unsafely-without-email

to test.

If test was successful, I ran:

# certbot certonly --webroot -w /var/www/example.com --rsa-key-size 4096 --agree-tos -w /var/www/letsencrypt -d example.com --register-unsafely-without-email

Then run:

# certbot certifcates

to check the expiry dates of certificates.

Then:

# nginx -t
# systemctl reload nginx

To set automatic renewal of Let’s Encrypt certificates, check: https://yctct.com/renew-certificates.


personal computing command-line interface (cli) gnu linux trisquel shell literacy wiki nginx letsencrypt

No affiliate links, no analytics, no tracking, no cookies. This work © 2016-2025 by yctct is licensed under CC BY-SA 4.0 .   about me   contact me   all entries & tags   FAQ   GPG public key

GPG fingerprint: 2E0F FB60 7FEF 11D0 FB45 4DDC E979 E52A 7036 7A88