bidh
24 June 2025 12:31
1
Hello, it is more a FYI than a request for support.
I had my log filled with lots of warnings:
nginx: [warn] “ssl_stapling” ignored, no OCSP responder URL in the certificate “/config/keys/cert.crt”
Apparently Let’s Encrypt dropped OCSP. Not sure what it is.
it seems let’s encrypt ends OCSP support. consequently OCSP stapling must be disabled in nginx: January 30, 2025 OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must...
But commenting out or setting those on off in /swag/config/nginx/ssl.conf solved the warning.
ssl_stapling on;
ssl_stapling_verify on;
It didn’t seem to create more problems.
driz
24 June 2025 13:11
2
your container logs also tell you that you have configs out of date and if you updated them, it would have also resolved your warning.
bidh
24 June 2025 13:58
3
There were NO warnings whatsoever about ssl.conf located in /swag/config/nginx
Besides my ssl.conf is dated from 06/12/2024 and it seems to be the latest.
## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
### Mozilla Recommendations
# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7
After comparing its content, I noticed that indeed the OCSP should have been commented out.
But were not in mine.
committed 01:58PM - 20 Aug 22 UTC
It causes warning with self signed certs
And apparently they were removed altogether later.
committed 04:43PM - 15 Nov 24 UTC
driz
24 June 2025 14:01
4
That is about a year old, latest is 05/31/2025, I would ensure you are properly pulling the latest release to ensure it’s checking for out of date configs and ensuring the security of your container
the ssl.conf in the master branch is the 06/12/2024 so does the master branch need to be updated then? or should linuxserver/swag point to the 3.22 branch?
## Version 2024/12/06 - Changelog: https://github.com/linuxserver/docker-baseimage-alpine-nginx/commits/master/root/defaults/nginx/ssl.conf.sample
### Mozilla Recommendations
# generated 2024-12-06, Mozilla Guideline v5.7, nginx 1.26.2, OpenSSL 3.3.2, intermediate config, no OCSP
# https://ssl-config.mozilla.org/#server=nginx&version=1.26.2&config=intermediate&openssl=3.3.2&ocsp=false&guideline=5.7
ssl_certificate /config/keys/cert.crt;
ssl_certificate_key /config/keys/cert.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl_dhparam /config/nginx/dhparams.pem;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
This file has been truncated. show original
Edit: Looks like removing the master is the plan, so swag should be updated
master
← demaster
opened 03:07PM - 31 May 25 UTC
[linuxserverurl]: https://linuxserver.io
[][linuxserverurl]
------------------------------
- [x] I have read the [contributing](https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications
------------------------------
## Description:
Quick change just to stop master building stable releases as well as the 3.22 branch.
## Benefits of this PR and context:
## How Has This Been Tested?
## Source / References:
Actually this appears to be being addressed already:
master
← 3.22
opened 05:51PM - 09 Jul 25 UTC
[linuxserverurl]: https://linuxserver.io
[][linuxserverurl]
------------------------------
- [x] I have read the [contributing](https://github.com/linuxserver/docker-swag/blob/master/.github/CONTRIBUTING.md) guideline and understand that I have made the correct modifications
------------------------------
## Description:
## Benefits of this PR and context:
## How Has This Been Tested?
## Source / References:
driz
11 July 2025 13:36
7
as noted in the GHI you opened (there is really no need for you to post the same info in multiple places) your confs are outdated and your container logs would tell you this. The ssl_stapling was commented out by default in August of 2022, it was fully removed in November of 2024.
tl;dr this issue only exists for users that do not properly update their container, which is also why very few see this issue.
opened 01:12PM - 11 Jul 25 UTC
closed 01:31PM - 11 Jul 25 UTC
### Is there an existing issue for this?
- [x] I have searched the existing iss… ues
### Current Behavior
As documented here: https://discourse.linuxserver.io/t/nginx-warnings-in-swag-log-about-ssl-stapling-ignored/10624
Nginx is spamming a warning to the log
> nginx: [warn] “ssl_stapling” ignored, no OCSP responder URL in the certificate “/config/keys/cert.crt”
### Expected Behavior
This is fixed in 3.22 of alpine-nginx, but swag still points to the master branch
https://github.com/linuxserver/docker-baseimage-alpine-nginx/blob/3.22/root/defaults/nginx/ssl.conf.sample
Which appears to be on the outs
https://github.com/linuxserver/docker-baseimage-alpine-nginx/pull/185
So swag should be updated to use the default branch?
### Steps To Reproduce
Have a proxy-config that doesn't work and then fix it and the logs get the ssl stapling warning
### Environment
```markdown
- OS:
- How docker service was installed:
```
### CPU architecture
x86-64
### Docker creation
```bash
Unraid container
```
### Container logs
```bash
...
Server ready
/config/nginx/proxy-confs/ MODIFY test.subdomain.conf
nginx: [emerg] unexpected "}" in /config/nginx/proxy-confs/test.subdomain.conf:43
nginx: configuration file /etc/nginx/nginx.conf test failed
Changes to nginx config detected but the changes are not valid, skipping nginx reload. Please fix your config.
/config/nginx/proxy-confs/ MODIFY test.subdomain.conf
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/config/keys/cert.crt"
```