auto-ssl · kapouer · Jun 6, 2025
diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua
@@ -1,6 +1,5 @@
 local http = require "resty.http"
 local lock = require "resty.lock"
-local ocsp = require "ngx.ocsp"
 local ssl = require "ngx.ssl"
 local ssl_provider = require "resty.auto-ssl.ssl_providers.lets_encrypt"
 
@@ -156,94 +155,6 @@ local function get_cert_der(auto_ssl_instance, domain, ssl_options)
   return nil, "failed to get or issue certificate"
 end
 
-local function get_ocsp_response(fullchain_der, auto_ssl_instance)
-  -- Pull the OCSP URL to hit out of the certificate chain.
-  local ocsp_url, ocsp_responder_err = ocsp.get_ocsp_responder_from_der_chain(fullchain_der)
-  if not ocsp_url then
-    return nil, "failed to get OCSP responder: " .. (ocsp_responder_err or "")
-  end
-
-  -- Generate the OCSP request body.
-  local ocsp_req, ocsp_request_err = ocsp.create_ocsp_request(fullchain_der)
-  if not ocsp_req then
-    return nil, "failed to create OCSP request: " .. (ocsp_request_err or "")
-  end
-
-  -- Make the OCSP request against the OCSP server.
-  local httpc = http.new()
-  httpc:set_timeout(10000)
-  local http_proxy_options = auto_ssl_instance:get("http_proxy_options")
-  if http_proxy_options then
-    httpc:set_proxy_options(http_proxy_options)
-  end
-
-  local res, req_err = httpc:request_uri(ocsp_url, {
-    method = "POST",
-    body = ocsp_req,
-    headers = {
-      ["Content-Type"] = "application/ocsp-request",
-    }
-  })
-
-  -- Perform various checks to ensure we have a valid OCSP response.
-  if not res then
-    return nil, "OCSP responder query failed (" .. (ocsp_url or "") .. "): " .. (req_err or "")
-  end
-
-  if res.status ~= 200 then
-    return nil, "OCSP responder returns bad HTTP status code (" .. (ocsp_url or "") .. "): " .. (res.status or "")
-  end
-
-  local ocsp_resp = res.body
-  if not ocsp_resp or ocsp_resp == "" then
-    return nil, "OCSP responder returns bad response body (" .. (ocsp_url or "") .. "): " .. (ocsp_resp or "")
-  end
-
-  local ok, ocsp_validate_err = ocsp.validate_ocsp_response(ocsp_resp, fullchain_der)
-  if not ok then
-    return nil, "failed to validate OCSP response (" .. (ocsp_url or "") .. "): " .. (ocsp_validate_err or "")
-  end
-
-  return ocsp_resp
-end
-
-local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance)
-  -- Fetch the OCSP stapling response from the cache, or make the request to
-  -- fetch it.
-  local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain)
-  if not ocsp_resp then
-    -- If the certificate was just issued on the current request, wait 1 second
-    -- before making the initial OCSP request. Otherwise Let's Encrypt seems to
-    -- return an Unauthorized response.
-    if cert_der["newly_issued"] then
-      ngx.sleep(1)
-    end
-
-    local ocsp_response_err
-    ocsp_resp, ocsp_response_err = get_ocsp_response(cert_der["fullchain_der"], auto_ssl_instance)
-    if ocsp_response_err then
-      return false, "failed to get ocsp response: " .. (ocsp_response_err or "")
-    end
-
-    -- Cache the OCSP stapling response for 1 hour (this is what nginx does by
-    -- default).
-    local _, set_ocsp_err, set_ocsp_forcible = ngx.shared.auto_ssl:set("domain:ocsp:" .. domain, ocsp_resp, 3600)
-    if set_ocsp_err then
-      ngx.log(ngx.ERR, "auto-ssl: failed to set shdict cache of OCSP response for " .. domain .. ": ", set_ocsp_err)
-    elseif set_ocsp_forcible then
-      ngx.log(ngx.ERR, "auto-ssl: 'lua_shared_dict auto_ssl' might be too small - consider increasing its configured size (old entries were removed while adding OCSP response for " .. domain .. ")")
-    end
-  end
-
-  -- Set the OCSP stapling response.
-  local ok, ocsp_status_err = ocsp.set_ocsp_status_resp(ocsp_resp)
-  if not ok then
-    return false, "failed to set ocsp status resp: " .. (ocsp_status_err or "")
-  end
-
-  return true
-end
-
 local function set_response_cert(auto_ssl_instance, domain, cert_der)
   local ok, err
 
@@ -254,12 +165,6 @@ local function set_response_cert(auto_ssl_instance, domain, cert_der)
     return nil, "failed to clear existing (fallback) certificates - " .. (err or "")
   end
 
-  -- Set OCSP stapling.
-  ok, err = set_ocsp_stapling(domain, cert_der, auto_ssl_instance)
-  if not ok then
-    ngx.log(auto_ssl_instance:get("ocsp_stapling_error_level"), "auto-ssl: failed to set ocsp stapling for ", domain, " - continuing anyway - ", err)
-  end
-
   -- Set the public certificate chain.
   ok, err = ssl.set_der_cert(cert_der["fullchain_der"])
   if not ok then