Let’s Encrypt stops OCSP support
Daniel Nashed – 22 June 2025 22:12:16
Let's Encrypt is stopping OCSP support and goes back to a classical CRL.
You find details about this change here -> https://letsencrypt.org/2024/12/05/ending-ocsp/
I blogged about OCSP stampling a while ago. And just updated the post with this new information.
https://blog.nashcom.de/nashcomblog.nsf/dx/ocsp-stapling-and-why-it-matters-improve-your-https-performance.htm
The Domino TLS Cache supports OCSP caching and provides OCSP data to the HTTP task,
but the back-end code does not distinct between certificates with or without OCSP information.
The TLS Cache will re-check the status every 10 minutes. So it's just a small overhead in the back-end thread.
But it's still good to disable when your certificates have no OCSP responder available in the certificate.
Here is how to check if a certificate has OCSP responder.
Either check the full openssl -text output or just query the OCSP URI as shown below.
I have disabled OCSP stapling on my servers a while ago.
If you never enabled it on Domino, there is nothing to change.
But this information might be also important for other server type that might use OCSP in combination with Let's Encrypt.
openssl x509 -in buypass.pem -noout -text
Authority Information Access:
OCSP - URI:http://ocsp.buypass.com
CA Issuers - URI:http://crt.buypass.no/crt/BPClass2CA5.cer
openssl x509 -in buypass.pem -noout -ocsp_uri
http://ocsp.buypass.com
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}