Seemingly, this is a server-side certificate issue that manifests more strictly in Android 16.

Starting with Android 16, it seems the platform enforces stricter validation of OCSP responses during certificate chain validation. If the Next Update timestamp in the OCSP response is in the past, Android considers the response unreliable and fails the SSL handshake.

There is nothing you can fix on the Android side. The issue lies in the certificate issuer’s OCSP responder.

You can confirm this by running:

openssl s_client -connect yourdomain.com:443 -status

Look for this section:

OCSP Response Data:
    ...
    Next Update: Jul  8 12:00:00 2025 GMT

Contact your certificate provider (in my case Let's Encrypt) or hosting provider to ensure that their OCSP responses are properly refreshed. Renew the certificate if it's expired or misconfigured.

If you're using a CDN or proxy, check if they're caching or serving stale OCSP responses.

This affects not only Let’s Encrypt but any CA that provides stale OCSP responses.

Previous Android versions ignored the staleness of the Next Update field, but Android 16 now strictly enforces it for security.

Lets Encrypt have also decided to drop support for OCSP.

https://letsencrypt.org/2024/12/05/ending-ocsp/

Earlier this year we announced our intent to provide certificate revocation information exclusively via Certificate Revocation Lists (CRLs), ending support for providing certificate revocation information via the Online Certificate Status Protocol (OCSP). Today we are providing a timeline for ending OCSP services:

• January 30, 2025
  • OCSP Must-Staple requests will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension
• May 7, 2025
  • Prior to this date we will have added CRL URLs to certificates
  • On this date we will drop OCSP URLs from certificates
  • On this date all requests including the OCSP Must Staple extension will fail
• August 6, 2025:
  • On this date we will turn off our OCSP responders