https://github.com/certbot/certbot/issues/9967
https://bugs.gentoo.org/937889
--- a/certbot/ocsp.py
+++ b/certbot/ocsp.py
@@ -4,6 +4,7 @@ from datetime import timedelta
 import logging
 import re
 import subprocess
+import warnings
 from subprocess import PIPE
 from typing import Optional
 from typing import Tuple
@@ -235,12 +236,17 @@ def _check_ocsp_response(response_ocsp: 'ocsp.OCSPResponse', request_ocsp: 'ocsp
     # https://github.com/openssl/openssl/blob/ef45aa14c5af024fcb8bef1c9007f3d1c115bd85/crypto/ocsp/ocsp_cl.c#L338-L391
     # thisUpdate/nextUpdate are expressed in UTC/GMT time zone
     now = datetime.now(pytz.UTC).replace(tzinfo=None)
-    if not response_ocsp.this_update:
-        raise AssertionError('param thisUpdate is not set.')
-    if response_ocsp.this_update > now + timedelta(minutes=5):
-        raise AssertionError('param thisUpdate is in the future.')
-    if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
-        raise AssertionError('param nextUpdate is in the past.')
+    with warnings.catch_warnings():
+        # Workaround for deprecation warnings w/ newer cryptography
+        # https://github.com/certbot/certbot/issues/9967 (bug #937889)
+        warnings.filterwarnings("ignore", category=CryptographyDeprecationWarning)
+
+        if not response_ocsp.this_update:
+            raise AssertionError('param thisUpdate is not set.')
+        if response_ocsp.this_update > now + timedelta(minutes=5):
+            raise AssertionError('param thisUpdate is in the future.')
+        if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
+            raise AssertionError('param nextUpdate is in the past.')
 
 
 def _check_ocsp_response_signature(response_ocsp: 'ocsp.OCSPResponse',