Opened 4 years ago

Closed 4 years ago

#1863 closed defect (invalid)

"ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate

Reported by: actionmystique@… Owned by:
Priority: minor Milestone:
Component: other Version: 1.17.x
Keywords: ssl_stapling ocsp Cc:
uname -a: Linux 5.3.0-17-generic #18-Ubuntu SMP Fri Oct 4 03:04:18 UTC 2019 x86_64 GNU/Linux
nginx -V: # nginx -V
nginx version: nginx/1.17.4 (x86_64-pc-linux-gnu)
built by gcc 9.2.1 20190909 (Ubuntu 9.2.1-8ubuntu1)
built with OpenSSL 1.1.1c 28 May 2019
TLS SNI support enabled
configure arguments: --build=x86_64-pc-linux-gnu --prefix=/usr/local/share/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx.pid --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --group=www-data --user=www-data --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module --with-stream_ssl_preread_module --with-threads

Description

Nginx relevant config:

        resolver 127.0.0.1:53;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_certificate domain.com.chained.crt;
        ssl_certificate_key domain.com_rsakey.pem;
        ssl_trusted_certificate letsencrypt_root_intermediate_bundle.pem;

domain.com.chained.crt is a bundle containing:

  • the domain wildcard certificate
  • letsencryptauthorityx3.pem
  • no anchor root certificate

letsencrypt_root_intermediate_bundle.pem is a bundle containing:

  • isrgrootx1.pem root certificate
  • letsencryptauthorityx3.pem

Testing the domain at https://www.ssllabs.com/ssltest reports:

No issue either when accessing ocsp.int-x3.letsencrypt.org:

# dig ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.15.4 <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57953
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e26b5bf4a0c64fbc010000005d98883e0f932385bcae9d08 (good)
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.	IN	A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 599 IN	CNAME	ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 599 IN CNAME	a771.dscq.akamai.net.
a771.dscq.akamai.net.	599	IN	A	88.221.113.64
a771.dscq.akamai.net.	599	IN	A	88.221.113.51
a771.dscq.akamai.net.	599	IN	A	88.221.113.11

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 05 14:10:38 CEST 2019
;; MSG SIZE  rcvd: 221

# ping ocsp.int-x3.letsencrypt.org.edgesuite.net
PING a771.dscq.akamai.net (88.221.113.89) 56(84) bytes of data.
64 bytes from a88-221-113-89.deploy.static.akamaitechnologies.com (88.221.113.89): icmp_seq=1 ttl=58 time=5.80 ms

Yet, restarting nginx leads to:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "domain.com.chained.crt"

Is this a nginx or a configuration issue?

Change History (2)

comment:1 by actionmystique@…, 4 years ago

Replacing in the domain certificate bundle the contents of letsencryptauthorityx3.pem with the contents of lets-encrypt-x3-cross-signed.pem seems to solve/workaround this issue.

comment:2 by Maxim Dounin, 4 years ago

Resolution: invalid
Status: newclosed

The error message suggests there is a problem with resolution of the "ocsp.int-x3.letsencrypt.org" name, as preformed by nginx on startup using system resolver. You should check your DNS configuration - in particular, make sure that all nameservers listed in /etc/resolv.conf are working well and not broken.

Note: See TracTickets for help on using tickets.