diff --git a/internal/autocert/certmagic_logger.go b/internal/autocert/certmagic_logger.go
new file mode 100644
index 000000000..10671d8b7
--- /dev/null
+++ b/internal/autocert/certmagic_logger.go
@@ -0,0 +1,50 @@
+package autocert
+
+import (
+	"strings"
+
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+
+	"github.com/pomerium/pomerium/internal/log"
+)
+
+type certMagicLoggerCore struct {
+	core   zapcore.Core
+	fields []zapcore.Field
+}
+
+func (c certMagicLoggerCore) Enabled(lvl zapcore.Level) bool {
+	return c.core.Enabled(lvl)
+}
+
+func (c certMagicLoggerCore) With(fs []zapcore.Field) zapcore.Core {
+	return certMagicLoggerCore{core: c.core, fields: append(c.fields, fs...)}
+}
+
+func (c certMagicLoggerCore) Check(e zapcore.Entry, ce *zapcore.CheckedEntry) *zapcore.CheckedEntry {
+	return ce.AddCore(e, c)
+}
+
+func (c certMagicLoggerCore) Write(e zapcore.Entry, fs []zapcore.Field) error {
+	fs = append(c.fields, fs...)
+	for _, f := range fs {
+		if f.Type == zapcore.ErrorType && strings.Contains(f.Interface.(error).Error(), "no OCSP server specified in certificate") {
+			// ignore this error message (#4245)
+			return nil
+		}
+	}
+	return c.core.Write(e, fs)
+}
+
+func (c certMagicLoggerCore) Sync() error {
+	return c.core.Sync()
+}
+
+func getCertMagicLogger() *zap.Logger {
+	logger := log.ZapLogger().With(zap.String("service", "autocert"))
+	logger = logger.WithOptions(zap.WrapCore(func(c zapcore.Core) zapcore.Core {
+		return certMagicLoggerCore{core: c}
+	}))
+	return logger
+}
diff --git a/internal/autocert/manager.go b/internal/autocert/manager.go
index 9067a0c2c..eca3a2f4c 100644
--- a/internal/autocert/manager.go
+++ b/internal/autocert/manager.go
@@ -18,7 +18,6 @@ import (
 	"github.com/caddyserver/certmagic"
 	"github.com/mholt/acmez/acme"
 	"github.com/rs/zerolog"
-	"go.uber.org/zap"
 
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/httputil"
@@ -78,7 +77,7 @@ func newManager(ctx context.Context,
 		return nil, err
 	}
 
-	logger := log.ZapLogger().With(zap.String("service", "autocert"))
+	logger := getCertMagicLogger()
 	acmeTemplate.Logger = logger
 
 	mgr := &Manager{