Keep in mind that these are not actual errors, just warnings. Your site has SSL Stapling enabled, so Nginx tries to check the certificate but the OCSP URL doesn’t exist, which results in a log notification. Your sites will work as expected, no problem at all.
As you said, to avoid the warning in the logs, the templates should be modified and the sites rebuilt. However, keep in mind that Let’s Encrypt isn’t the only CA out there, other CAs still use OCSP, so SSL Stapling remains valid for those certificates.
That said, to avoid confusion, and because I’d guess more than 90% of users (made-up percentage 
) use Let’s Encrypt, it might be a good idea to comment out the SSL Stapling directives in all templates.
Ideally, there would be an option to enable or disable SSL Stapling when adding the certificate, but that’s another battle.
Until the devs decide whether to comment out SSL Stapling in the templates (if they agree I can add a PR), you can use this script to modify them all and rebuild every user’s mail and web domains.
curl -fsSLm10 https://7j.gg/remstap | sudo bash -s --
This is the script:
#!/usr/bin/env bash
set -euo pipefail
ARG="${1:-}"
if [[ $EUID -ne 0 ]]; then
echo "Error: you must be root to execute this script" >&2
exit 1
fi
if [[ -t 1 ]]; then
GC=$(tput setaf 34)
YC=$(tput setaf 226)
BC=$(tput setaf 27)
OC=$(tput setaf 198)
RC=$(tput setaf 1)
NC=$(tput sgr0)
else
echo "Error: This script must be run interactively" >&2
exit 2
fi
BIN="/usr/local/hestia/bin"
DIRS="/usr/local/hestia/data/templates/ /usr/local/hestia/nginx/"
INUSEDIRS="/etc/nginx/conf.d/domains/ /usr/local/hestia/nginx/"
BCKDIR="/root/backup_hestia_templates_$(date +'%Y-%-m-%d_%H%M')"
set +o pipefail
# shellcheck disable=SC2086
NINUSE="$(grep -REl '^\s*ssl_stapling.*on;' $INUSEDIRS | wc -l)"
set -o pipefail
if [[ $NINUSE -eq 0 ]]; then
echo "I didn't found any conf file using ssl stapling."
if [[ "$ARG" != "-f" ]]; then
echo "If you still want to modify the templates and rebuild your sites, use ${YC}-f${NC} argument"
exit
else
echo
echo "${YC}Forcing execution...${NC}"
echo
fi
fi
echo "I've found ${YC}${NINUSE}${NC} configuration files using SSL stapling."
echo "I'll remove SSL stapling from templates and rebuild web and mail domains. ${OC}This may take a few minutes${NC}."
echo "Note: All modified files will be backed up in the ${BC}${BCKDIR}/${NC} directory."
echo
read -r -p "Do you want to continue? [y/N] " response </dev/tty
response=${response,,}
if [[ "$response" != "y" ]]; then
echo "Aborting script."
exit 1
fi
echo
echo -n "Modifying templates and conf: "
# shellcheck disable=SC2086
grep -rEl '^\s*ssl_stapling.*on.*' $DIRS | while read -r file; do
mkdir -p "${BCKDIR}$(dirname "$file")"
cp "$file" "${BCKDIR}$file"
sed -i -E '
0,/^\s*ssl_stapling/ {
/^\s*ssl_stapling/ {
s/^(\s*)(ssl_stapling.*)/\1\#Commented out ssl_stapling directives due to Lets Encrypt ending OCSP support in 2025\n\1#\2/
b
}
}
/^\s*ssl_stapling/ s/^(\s*)/\1#/
/^\s*ssl_stapling_verify/ s/^(\s*)/\1#/
' "$file"
done
echo "${GC}Done${NC}"
for user in $("$BIN"/v-list-users plain | cut -f1 | sort); do
echo "Rebuilding web and mail domains for user ${GC}${user}${NC}"
if "$BIN"/v-rebuild-web-domains "$user" &>/dev/null; then
echo " Web domains: ${GC}OK${NC}"
else
echo " Web domains: ${RC}FAIL${NC}"
fi
if "$BIN"/v-rebuild-mail-domains "$user" &>/dev/null; then
echo " Mail domains: ${GC}OK${NC}"
else
echo " Mail domains: ${RC}FAIL${NC}"
fi
done
echo
if /usr/sbin/nginx -t &>/dev/null; then
echo "Restarting nginx..."
if systemctl restart nginx &>/dev/null; then
echo "${GC}Nginx has been restarted${NC}"
else
echo "${RC}Error restaring nginx${NC}"
fi
else
echo "Seems ${RC}Nginx has some conf issues${NC}, check it, I won't try to restart the service."
echo "These are the issues:"
/usr/sbin/nginx -t
fi