diff --git a/certbot/CHANGELOG.md b/certbot/CHANGELOG.md
index 3a7c26735..fc7613847 100644
--- a/certbot/CHANGELOG.md
+++ b/certbot/CHANGELOG.md
@@ -18,7 +18,9 @@ Certbot adheres to [Semantic Versioning](https://semver.org/).
 
 ### Fixed
 
-*
+* Fixed a bug introduced in Certbot 3.1.0 where OpenSSL environment variables
+  needed in our snap configuration were persisted in calls to external programs
+  like nginx which could cause them to fail to load OpenSSL.
 
 More details about these changes can be found on our GitHub repo.
 
diff --git a/certbot/certbot/util.py b/certbot/certbot/util.py
index 82a8219fb..6bd851c29 100644
--- a/certbot/certbot/util.py
+++ b/certbot/certbot/util.py
@@ -165,6 +165,12 @@ def env_no_snap_for_external_calls() -> Dict[str, str]:
     # Avoid accidentally modifying env
     if 'SNAP' not in env or 'CERTBOT_SNAPPED' not in env:
         return env
+
+    # These environment variables being set when running external programs can cause issues if these
+    # programs also use OpenSSL. See https://github.com/certbot/certbot/issues/10190.
+    env.pop('OPENSSL_FORCE_FIPS_MODE', None)
+    env.pop('OPENSSL_MODULES', None)
+
     for path_name in ('PATH', 'LD_LIBRARY_PATH'):
         if path_name in env:
             env[path_name] = ':'.join(x for x in env[path_name].split(':') if env['SNAP'] not in x)