Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#911 closed defect (invalid) could not be resolved

Reported by: John Carne Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.9.x
Keywords: Cc:
uname -a: Linux 2.6.32-604.30.3.lve1.3.63.el6.x86_64 #1 SMP Sun Sep 27 06:34:10 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: root@web1 [~]# nginx -V
nginx version: nginx/1.8.1
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody --group=nobody --add-module=naxsi-0.54/naxsi_src --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-file-aio --with-threads --with-ipv6 --with-http_spdy_module --add-module=ngx_pagespeed-release- --with-cc=/opt/rh/devtoolset-2/root/usr/bin/gcc --add-module=/usr/local/rvm/gems/ruby-2.3.0/gems/passenger-5.0.24/src/nginx_module --add-module=ngx_cache_purge-2.3 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'



My techs can't solve this repeated message all day long in error log :

2016/02/21 21:54:31 [error] 700513#700513: could not be resolved (110: Operation timed out) while requesting certificate status, responder:

We use nginx nDeploy version as reverse proxy.

My resolver.conf is as follow for performance, and data privacy :
This is given by my provider :, this is a CDN popped worldwide IP of their network, so it can't be the issue

Was added this in my /etc/host file
Just now, is still well resolving to

I talked to cpanel support :
IPV6 is setup by default on cpanel server, what I did is adding an ipv6 range, but no accounts have any ipv6 allocated yet. There is no issue with this

uname -a result is not correct with kernelcare, server is uptodate

Change History (9)

comment:1 by John Carne, 7 years ago

I can give a sample of actual domain ssl with comodo cert, but need this to be private post:


comment:2 by Roman Arutyunyan, 7 years ago

Nginx internal resolver does not read /etc/hosts file.
Please try to resolve the domain from command line:

dig @

comment:3 by John Carne, 7 years ago

Here is result :

root@web1 [~]# dig @

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> @ ocsp.comod
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 68
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 8

; IN A


;; AUTHORITY SECTION: 66372 IN NS 66372 IN NS 66372 IN NS 66372 IN NS

;; ADDITIONAL SECTION: 13179 IN A 74812 IN AAAA 2a02:1788:0:200::5bd1:c404 160910 IN A 160910 IN AAAA 2a02:1788:0:600::c742:c804 13179 IN A 120270 IN AAAA 2a02:1788:0:600::c742:c805 160910 IN A 160910 IN AAAA 2a02:1788:0:200::5bd1:c405

;; Query time: 2 msec
;; WHEN: Sat Feb 27 14:31:34 2016
;; MSG SIZE rcvd: 322

comment:4 by John Carne, 7 years ago

We have same issue with another ssl provider :
2016/02/27 15:17:15 [error] 996880#996880: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get issuer certificate) while requesting certificate status, responder:

comment:5 by John Carne, 7 years ago

Found this :

Most likely reason for the problem you are seeing is broken AAAA address resolution somewhere in your setup. Your nginx is compiled with IPv6 and will try to resolve both A and AAAA addresses, and the message indicate that one of the DNS request (either for A or AAAA records) times out.
I've just tested with OCSP responder set to, and it resolves fine here without any problems.

comment:6 by John Carne, 7 years ago

after checking i realize that neither my hostname, neither both dns has AAAA entries, I have entered them in DNS zone of hostname along with A record, for now I see no change

comment:7 by John Carne, 7 years ago

I'm doing again trying setting these AAAA records

comment:8 by Maxim Dounin, 7 years ago

Resolution: invalid
Status: newclosed

This doesn't looks like an error in nginx. If you are looking for support, please consider using mailing list.

comment:9 by John Carne, 7 years ago

Can you prove it ?

Note: See TracTickets for help on using tickets.