SSL Stapling Off for VirtualHosts

Answered

vatra

• January 03, 2026 11:36
• Edited

I've enabled SSLUseStapling for the entire server in the Apache global configuration, but for each VirtualHost, it is set to SSLUseStapling off.

Why is this a default behaviour? Isn't it better to enable OCSP Stapling?

• 

  cPRex Jurassic Moderator

  • January 05, 2026 22:59

  Hey there!  The short answer is that Let's Encrypt is slowly killing off OCSP stapling:

  https://community.letsencrypt.org/t/ending-ocsp-support-in-2025-webserver-configuration/229787

  We still have it enabled globally on the server, but if it's enabled for each vhost the SSL renewals won't happen properly.

  1
• 

  vatra

  • January 06, 2026 15:46
  • Edited

  Thank you Rex!

  Didn't know about that one. It's certainly smarter to move away from OCSP to the CRL system. It's faster and more private. Can I disable stapling globally then? I've read that most CAs are moving away from OCSP as a practice. The only concern may be the apps that rely on this method, because the usual clients (browsers) won't be affected by disabled stapling.

   

  0
• 

  vatra

  • January 06, 2026 16:05

  Disabled it globally, but each VirtualHost still has SSLUseStapling off. Is cPanel doing it? Can it be removed?

  0
• 

  cPRex Jurassic Moderator

  • January 06, 2026 16:27

  Yes, this is something we specifically configure by default, and I'm honestly not seeing a good way to override that setting.  Is this causing a problem in some way?  It's been an "optional" tool since 2023 and most providers are moving away from that: https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp

  1
• 

  vatra

  • January 06, 2026 16:42

  No, it's not causing any problems. I'm exploring options to make my httpd.conf as lightweight as possible. This should be an option. When you disable OCSP stapling, cPanel should remove the SSLUseStapling off from the global and VH locations. Anyway, this is the default; it's redundant to leave it.

  0
• 

  cPRex Jurassic Moderator

  • January 06, 2026 17:24

  Makes sense!  Let me see what the team says about this one and I'll get back to you.

  1
• 

  cPRex Jurassic Moderator

  • January 06, 2026 20:44

  The only way to make this happen is to create a custom .local template using the details here:

  https://support.cpanel.net/hc/en-us/articles/360052016374-How-can-I-customize-the-Apache-Virtual-Host-templates

  Once you edit the .local file you'll see the following section:

  [% IF supported.stapling && !has_ocsp(vhost.sslcertificatefile) -%]
      SSLUseStapling off
  [% END -%]

  so removing that block would remove the logic that builds that line.

  1
• 

  vatra

  • January 12, 2026 00:22

  That was it, thank you! I deliberately do these seemingly meaningless tweaks. But that is the best way I learn about the system.

  0
• 

  cPRex Jurassic Moderator

  • January 12, 2026 13:09

  I'm glad that did the trick!!

  1

Please sign in to leave a comment.