Opened 5 years ago
Closed 5 years ago
#1863 closed defect (invalid)
"ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | other | Version: | 1.17.x |
| Keywords: | ssl_stapling ocsp | Cc: | |
| uname -a: | Linux 5.3.0-17-generic #18-Ubuntu SMP Fri Oct 4 03:04:18 UTC 2019 x86_64 GNU/Linux | ||
| nginx -V: |
# nginx -V
nginx version: nginx/1.17.4 (x86_64-pc-linux-gnu) built by gcc 9.2.1 20190909 (Ubuntu 9.2.1-8ubuntu1) built with OpenSSL 1.1.1c 28 May 2019 TLS SNI support enabled configure arguments: --build=x86_64-pc-linux-gnu --prefix=/usr/local/share/nginx --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx.pid --sbin-path=/usr/sbin/nginx --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --group=www-data --user=www-data --with-debug --with-file-aio --with-google_perftools_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_mp4_module --with-http_perl_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_xslt_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module --with-stream_ssl_preread_module --with-threads |
||
Description
Nginx relevant config:
resolver 127.0.0.1:53;
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate domain.com.chained.crt;
ssl_certificate_key domain.com_rsakey.pem;
ssl_trusted_certificate letsencrypt_root_intermediate_bundle.pem;
domain.com.chained.crt is a bundle containing:
- the domain wildcard certificate
- letsencryptauthorityx3.pem
- no anchor root certificate
letsencrypt_root_intermediate_bundle.pem is a bundle containing:
- isrgrootx1.pem root certificate
- letsencryptauthorityx3.pem
Testing the domain at https://www.ssllabs.com/ssltest reports:
- an overall rating of A+
- a certificate issued by Let's Encrypt Authority X3/AIA: http://cert.int-x3.letsencrypt.org/
- Revocation information OCSP: http://ocsp.int-x3.letsencrypt.org
- Revocation status as Good (not revoked)
- Trusted yes
- no chain issue with the provided certificate of Let's Encrypt Authority X3 issued by ISRG Root X1
No issue either when accessing ocsp.int-x3.letsencrypt.org:
# dig ocsp.int-x3.letsencrypt.org ; <<>> DiG 9.15.4 <<>> ocsp.int-x3.letsencrypt.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57953 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e26b5bf4a0c64fbc010000005d98883e0f932385bcae9d08 (good) ;; QUESTION SECTION: ;ocsp.int-x3.letsencrypt.org. IN A ;; ANSWER SECTION: ocsp.int-x3.letsencrypt.org. 599 IN CNAME ocsp.int-x3.letsencrypt.org.edgesuite.net. ocsp.int-x3.letsencrypt.org.edgesuite.net. 599 IN CNAME a771.dscq.akamai.net. a771.dscq.akamai.net. 599 IN A 88.221.113.64 a771.dscq.akamai.net. 599 IN A 88.221.113.51 a771.dscq.akamai.net. 599 IN A 88.221.113.11 ;; Query time: 99 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Oct 05 14:10:38 CEST 2019 ;; MSG SIZE rcvd: 221 # ping ocsp.int-x3.letsencrypt.org.edgesuite.net PING a771.dscq.akamai.net (88.221.113.89) 56(84) bytes of data. 64 bytes from a88-221-113-89.deploy.static.akamaitechnologies.com (88.221.113.89): icmp_seq=1 ttl=58 time=5.80 ms
Yet, restarting nginx leads to:
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "domain.com.chained.crt"
Is this a nginx or a configuration issue?
Change History (2)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
The error message suggests there is a problem with resolution of the "ocsp.int-x3.letsencrypt.org" name, as preformed by nginx on startup using system resolver. You should check your DNS configuration - in particular, make sure that all nameservers listed in /etc/resolv.conf are working well and not broken.
Note:
See TracTickets
for help on using tickets.
Replacing in the domain certificate bundle the contents of
letsencryptauthorityx3.pemwith the contents oflets-encrypt-x3-cross-signed.pemseems to solve/workaround this issue.