Nginx - [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate

[ibin79]

OCSP 미지원시 Nginx 경고

# nginx -t
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/letsencrypt/live/php79.com/fullchain.pem"
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

원인 - Let's Encrypt OCSP 서비스 종료

https://letsencrypt.org/2025/08/06/ocsp-service-has-reached-end-of-life

기존 사용자용 수작업 조치

• ssl_stapling 설정 확인

grep -E '^ssl_stapling' /etc/letsencrypt/php79/*.conf

# 파일 목록 예시
/etc/letsencrypt/php79/ssl-hosting.conf:ssl_stapling on;
/etc/letsencrypt/php79/ssl-hosting.conf:ssl_stapling_verify on;
/etc/letsencrypt/php79/ssl-modern.conf:ssl_stapling on;
/etc/letsencrypt/php79/ssl-modern.conf:ssl_stapling_verify on;
/etc/letsencrypt/php79/ssl-stable.conf:ssl_stapling on;
/etc/letsencrypt/php79/ssl-stable.conf:ssl_stapling_verify on;

• 쉘 스크립트로 일괄 주석 처리

FILES=( `grep -lE '^ssl_stapling' /etc/letsencrypt/php79/*.conf` )
for i in "${FILES[@]}"
do
    echo "replace file : ${i}"
    sed -i 's/^ssl_stapling/#ssl_stapling/g' "${i}"
done

• ssl_stapling, ssl_stapling_verify 설정이 주석 처리(#)된 것 확인

grep 'ssl_stapling' /etc/letsencrypt/php79/*.conf

• nginx 설정 테스트후 재시작

nginx -t && systemctl restart nginx

업데이트시 반영

• [ ] OCSP 설정 기본 비활성화