Server Version#: 1.43.0.10492
TLDR: Is OCSP certificate revocation checking required to use custom certificates? Can it be bypassed, or alternately CRL used?
I use Traefik with the Let’s Encrypt ACME certificate resolver to issue a wildcard certificate to my Docker containers, including Plex. Traefik’s JSON certificate storage is decoded to output the certificate’s private key and certificate (including intermediate cert) PEM, and then encoded as PKCS12 via:
openssl pkcs12 -export -out plex-certificate.p12 \
-certpbe AES-256-CBC -keypbe AES-256-CBC -macalg SHA256 \
-inkey privatekey.key -in certificate.crt -passout pass:password
Note that I’m using the newer encoding options, and openssl ~1.1.1 and ~3.0 have identical output. I can verify the key file is valid by again using openssl to deconstruct it to PEM and verifying with openssl x509 …. I have populated the certificate settings via web UI appropriately (filename, password, and domain).
My certificates always result in:
DEBUG - [CERT/OCSP] no URL available
WARN - [CERT/OCSP] getCertInfo failed; skipping stapling
ERROR - [CERT] Found a user-provided certificate, but couldn't install it.
After many hours of searching and reading, I have discovered that Let’s Encrypt has phased out support for OCSP (also “stapling”), ending in August 2025: https://letsencrypt.org/2024/12/05/ending-ocsp This would seem to explain the no URL available error, as certificates issued by Let’s Encrypt no longer include an OCSP URI. This is verified by examining the applicable section of the output of openssl-3 x509 -in certificate.crt -text -noout:
Authority Information Access:
CA Issuers - URI:http://r12.i.lencr.org/
Is the lack of OCSP the real issue causing my custom certificate to fail to load?
