Nginx warnings in swag log about "ssl_stapling" ignored

bidh · 24 June 2025 12:31

Hello, it is more a FYI than a request for support.

I had my log filled with lots of warnings:

nginx: [warn] “ssl_stapling” ignored, no OCSP responder URL in the certificate “/config/keys/cert.crt”

Apparently Let’s Encrypt dropped OCSP. Not sure what it is.

But commenting out or setting those on off in /swag/config/nginx/ssl.conf solved the warning.

 ssl_stapling on;
 ssl_stapling_verify on;

It didn’t seem to create more problems.

driz · 24 June 2025 13:11

your container logs also tell you that you have configs out of date and if you updated them, it would have also resolved your warning.

bidh · 24 June 2025 13:58

There were NO warnings whatsoever about ssl.conf located in /swag/config/nginx

Besides my ssl.conf is dated from 06/12/2024 and it seems to be the latest.

## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample

### Mozilla Recommendations
# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7

After comparing its content, I noticed that indeed the OCSP should have been commented out.
But were not in mine.

And apparently they were removed altogether later.

driz · 24 June 2025 14:01

That is about a year old, latest is 05/31/2025, I would ensure you are properly pulling the latest release to ensure it’s checking for out of date configs and ensuring the security of your container

yourjelly · 11 July 2025 13:03

the ssl.conf in the master branch is the 06/12/2024 so does the master branch need to be updated then? or should linuxserver/swag point to the 3.22 branch?

github.com/linuxserver/docker-baseimage-alpine-nginx

root/defaults/nginx/ssl.conf.sample

master

## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample

### Mozilla Recommendations
# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7

ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;

# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

This file has been truncated. show original

Edit: Looks like removing the master is the plan, so swag should be updated

github.com/linuxserver/docker-baseimage-alpine-nginx

Prep for removing master branch

master ← demaster

opened 03:07PM - 31 May 25 UTC

thespad

+48 -50

[linuxserverurl]: https://linuxserver.io [![linuxserver.io](https://raw.githubu…sercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] ------------------------------ - [x] I have read the [contributing](https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications ------------------------------ ## Description: Quick change just to stop master building stable releases as well as the 3.22 branch. ## Benefits of this PR and context: ## How Has This Been Tested? ## Source / References:

yourjelly · 11 July 2025 13:15

Actually this appears to be being addressed already:

github.com/linuxserver/docker-swag

Rebase to 3.22

master ← 3.22

opened 05:51PM - 09 Jul 25 UTC

thespad

+69 -67

[linuxserverurl]: https://linuxserver.io [![linuxserver.io](https://raw.githubu…sercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] ------------------------------ - [x] I have read the [contributing](https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications ------------------------------ ## Description: ## Benefits of this PR and context: ## How Has This Been Tested? ## Source / References:

driz · 11 July 2025 13:36

as noted in the GHI you opened (there is really no need for you to post the same info in multiple places) your confs are outdated and your container logs would tell you this. The ssl_stapling was commented out by default in August of 2022, it was fully removed in November of 2024.

tl;dr this issue only exists for users that do not properly update their container, which is also why very few see this issue.

github.com/linuxserver/docker-swag

[BUG] Nginx warnings in log about “ssl_stapling”

opened 01:12PM - 11 Jul 25 UTC

closed 01:31PM - 11 Jul 25 UTC

yourjelly

### Is there an existing issue for this? - [x] I have searched the existing iss…ues ### Current Behavior As documented here: https://discourse.linuxserver.io/t/nginx-warnings-in-swag-log-about-ssl-stapling-ignored/10624 Nginx is spamming a warning to the log > nginx: [warn] “ssl_stapling” ignored, no OCSP responder URL in the certificate “/config/keys/cert.crt” ### Expected Behavior This is fixed in 3.22 of alpine-nginx, but swag still points to the master branch https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/3.22/root/defaults/nginx/ssl.conf.sample Which appears to be on the outs https://github.com/linuxserver/docker-baseimage-alpine-nginx/pull/185 So swag should be updated to use the default branch? ### Steps To Reproduce Have a proxy-config that doesn't work and then fix it and the logs get the ssl stapling warning ### Environment ```markdown - OS: - How docker service was installed: ``` ### CPU architecture x86-64 ### Docker creation ```bash Unraid container ``` ### Container logs ```bash ... Server ready /config/nginx/proxy-confs/ MODIFY test.subdomain.conf nginx: [emerg] unexpected "}" in /config/nginx/proxy-confs/test.subdomain.conf:43 nginx: configuration file /etc/nginx/nginx.conf test failed Changes to nginx config detected but the changes are not valid, skipping nginx reload. Please fix your config. /config/nginx/proxy-confs/ MODIFY test.subdomain.conf nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt" ```