#911 closed defect (invalid)
ocsp.comodoca.com could not be resolved
| Reported by: | John Carne | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.9.x |
| Keywords: | Cc: | ||
| uname -a: | Linux web1.hosting1976.fr 2.6.32-604.30.3.lve1.3.63.el6.x86_64 #1 SMP Sun Sep 27 06:34:10 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
root@web1 [~]# nginx -V
nginx version: nginx/1.8.1 built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody --group=nobody --add-module=naxsi-0.54/naxsi_src --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-file-aio --with-threads --with-ipv6 --with-http_spdy_module --add-module=ngx_pagespeed-release-1.10.33.4-beta --with-cc=/opt/rh/devtoolset-2/root/usr/bin/gcc --add-module=/usr/local/rvm/gems/ruby-2.3.0/gems/passenger-5.0.24/src/nginx_module --add-module=ngx_cache_purge-2.3 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' |
||
Description
hi,
My techs can't solve this repeated message all day long in error log :
2016/02/21 21:54:31 [error] 700513#700513: ocsp.comodoca.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.comodoca.com
We use nginx nDeploy version as reverse proxy.
1.
My resolver.conf is as follow for performance, and data privacy :
127.0.0.1
213.186.33.99
This is given by my provider : 213.186.33.99, this is a CDN popped worldwide IP of their network, so it can't be the issue
2.
Was added this in my /etc/host file
178.255.83.1 ocsp.comodoca.com
Just now, ocsp.comodoca.com is still well resolving to 178.255.83.1
3.
I talked to cpanel support :
IPV6 is setup by default on cpanel server, what I did is adding an ipv6 range, but no accounts have any ipv6 allocated yet. There is no issue with this
NB
uname -a result is not correct with kernelcare, server is uptodate
Change History (9)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
Nginx internal resolver does not read /etc/hosts file.
Please try to resolve the domain from command line:
dig @213.186.33.99 ocsp.comodoca.com
comment:3 by , 8 years ago
Here is result :
root@web1 [~]# dig @213.186.33.99 ocsp.comodoca.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> @213.186.33.99 ocsp.comod oca.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 68
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 8
;; QUESTION SECTION:
;ocsp.comodoca.com. IN A
;; ANSWER SECTION:
ocsp.comodoca.com. 88 IN A 178.255.83.1
;; AUTHORITY SECTION:
comodoca.com. 66372 IN NS ns0.comododns.com.
comodoca.com. 66372 IN NS ns0.comododns.net.
comodoca.com. 66372 IN NS ns1.comododns.com.
comodoca.com. 66372 IN NS ns1.comododns.net.
;; ADDITIONAL SECTION:
ns0.comododns.com. 13179 IN A 91.209.196.4
ns0.comododns.com. 74812 IN AAAA 2a02:1788:0:200::5bd1:c404
ns0.comododns.net. 160910 IN A 199.66.200.4
ns0.comododns.net. 160910 IN AAAA 2a02:1788:0:600::c742:c804
ns1.comododns.com. 13179 IN A 199.66.200.5
ns1.comododns.com. 120270 IN AAAA 2a02:1788:0:600::c742:c805
ns1.comododns.net. 160910 IN A 91.209.196.5
ns1.comododns.net. 160910 IN AAAA 2a02:1788:0:200::5bd1:c405
;; Query time: 2 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Sat Feb 27 14:31:34 2016
;; MSG SIZE rcvd: 322
comment:4 by , 8 years ago
We have same issue with another ssl provider :
2016/02/27 15:17:15 [error] 996880#996880: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get issuer certificate) while requesting certificate status, responder: gv.symcd.com
comment:5 by , 8 years ago
Found this :
https://trac.nginx.org/nginx/ticket/553
Most likely reason for the problem you are seeing is broken AAAA address resolution somewhere in your setup. Your nginx is compiled with IPv6 and will try to resolve both A and AAAA addresses, and the message indicate that one of the DNS request (either for A or AAAA records) times out.
I've just tested with OCSP responder set to rapidssl-ocsp.geotrust.com, and it resolves fine here without any problems.
comment:6 by , 8 years ago
after checking i realize that neither my hostname, neither both dns has AAAA entries, I have entered them in DNS zone of hostname along with A record, for now I see no change
comment:8 by , 8 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
This doesn't looks like an error in nginx. If you are looking for support, please consider using mailing list.
I can give a sample of actual domain ssl with comodo cert, but need this to be private post:
/etc/nginx/sites-enabled/domain_SSL.conf