#1363 closed defect (duplicate)

OCSP responder timed out on IPv6 only server

Reported by: v10lator.myway.de@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.10.x
Keywords: Cc:
uname -a: Linux nl01-v6 2.6.32-48-pve #1 SMP Fri Dec 23 10:22:54 CET 2016 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.10.3 built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-2tpxfc/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/headers-more-nginx-module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-cache-purge --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-development-kit --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/ngx-fancyindex --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nchan --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-lua --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-upload-progress --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

Description

This is the error message:

OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

The OSCP responder seems to have A and AAAA records:

$ nslookup ocsp.int-x3.letsencrypt.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
ocsp.int-x3.letsencrypt.org     canonical name = ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net       canonical name = a771.dscq.akamai.net.
Name:   a771.dscq.akamai.net
Address: 2.21.242.245
Name:   a771.dscq.akamai.net
Address: 2.21.242.204
Name:   a771.dscq.akamai.net
Address: 2a02:26f0:10::5c7a:d419
Name:   a771.dscq.akamai.net
Address: 2a02:26f0:10::5c7a:d410

For me this seems as nginx tries to connect by IPv4 which can't work as the server this is running at is IPv6 only.

So either nginx should at least try a fallback to IPv6 if IPv4 fails or offer an option for the resolver to disable IPv4 (ipv4=off - we have the exact same switch for IPv6 already).

Change History (1)

comment:1 Changed 10 months ago by mdounin

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #1330.

Note: See TracTickets for help on using tickets.