id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 553 OCSP stapling does not work when the OCSP server has a CNAME www.google.com/accounts/o8/id?id=AItOawnljTXWIu91q1P8AwBHNny0iJcGROHqUz8 "I am trying to enable OCSP Stapling on a server with a RapidSSL (Geotrust) SSL certificate. The OCSP responder for the cert is rapidssl-ocsp.geotrust.com, which is CNAME-ed to Akamai as follows: {{{ starvald ~/web/conf>dig a rapidssl-ocsp.geotrust.com ; <<>> DiG 9.6-ESV-R7-P3 <<>> a rapidssl-ocsp.geotrust.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61334 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;rapidssl-ocsp.geotrust.com. IN A ;; ANSWER SECTION: rapidssl-ocsp.geotrust.com. 0 IN CNAME ocsp.ws.symantec.com.edgekey.net. ocsp.ws.symantec.com.edgekey.net. 0 IN CNAME e8218.ce.akamaiedge.net. e8218.ce.akamaiedge.net. 20 IN A 23.5.251.27 ;; Query time: 1141 msec ;; SERVER: 10.0.0.28#53(10.0.0.28) ;; WHEN: Wed Apr 30 18:03:57 2014 ;; MSG SIZE rcvd: 140 }}} I see in my error logs, with both nginx 1.5.13 and 1.7.0, the error message: {{{ 2014/04/30 17:48:22 [error] 20014#0: rapidssl-ocsp.geotrust.com could not be resolved (145: Operation timed out) while requesting certificate status, responder: rapidssl-ocsp.geotrust.com }}} If I change my local DNS caching server to send back directly an A record for rapidssl-ocsp.geotrust.com, I no longer see the error. Of course, that is not a viable strategy on a production web server as Geotrust or Akamai may change its OCSP responders' IP over time. {{{ starvald ~majid/build#grep ocsp /etc/unbound/unbound.conf local-data: ""rapidssl-ocsp.geotrust.com. A 23.5.251.27"" starvald ~/web/conf>dig a rapidssl-ocsp.geotrust.com ; <<>> DiG 9.6-ESV-R7-P3 <<>> a rapidssl-ocsp.geotrust.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9633 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;rapidssl-ocsp.geotrust.com. IN A ;; ANSWER SECTION: rapidssl-ocsp.geotrust.com. 3600 IN A 23.5.251.27 ;; Query time: 0 msec ;; SERVER: 10.0.0.28#53(10.0.0.28) ;; WHEN: Wed Apr 30 18:02:11 2014 ;; MSG SIZE rcvd: 60 }}} It can't be an error related to DNS timeouts, as the A record is supplied at the same time as the CNAME by the DNS server, and thus no additional lookup should be necessary. Most likely, nginx just can't deal with the DNS response if it has a CNAME instead of the expected A (or AAAA?). Or perhaps it is the 2 CNAME hops that are throwing nginx off. " defect closed major 1.7 nginx-core 1.5.x worksforme SunOS starvald 5.11 oi_151a7 i86pc i386 i86pc "nginx version: nginx/1.7.0 built by gcc 4.8.2 (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/local --conf-path=/usr/local/etc/nginx --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-select_module --with-poll_module --with-http_stub_status_module --with-http_gzip_static_module --without-http_scgi_module --without-http_uwsgi_module --with-cc-opt='-I/usr/local/include -I/usr/local/ssl/include -DNGINX_DTRACE=1' --with-ld-opt='-L /usr/local/lib -L /usr/local/ssl/lib' --error-log-path=/tmp/nginx_error.log --with-http_spdy_module --with-http_auth_request_module --add-module=/home/majid/apsalar/lib/aphash --add-module=/home/majid/apsalar/lib/http_success"