Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#911 closed defect (invalid)

ocsp.comodoca.com could not be resolved

Reported by: John Carne Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.9.x
Keywords: Cc:
uname -a: Linux web1.hosting1976.fr 2.6.32-604.30.3.lve1.3.63.el6.x86_64 #1 SMP Sun Sep 27 06:34:10 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: root@web1 [~]# nginx -V
nginx version: nginx/1.8.1
built by gcc 4.8.2 20140120 (Red Hat 4.8.2-15) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nobody --group=nobody --add-module=naxsi-0.54/naxsi_src --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-file-aio --with-threads --with-ipv6 --with-http_spdy_module --add-module=ngx_pagespeed-release-1.10.33.4-beta --with-cc=/opt/rh/devtoolset-2/root/usr/bin/gcc --add-module=/usr/local/rvm/gems/ruby-2.3.0/gems/passenger-5.0.24/src/nginx_module --add-module=ngx_cache_purge-2.3 --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

hi,

My techs can't solve this repeated message all day long in error log :

2016/02/21 21:54:31 [error] 700513#700513: ocsp.comodoca.com could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.comodoca.com

We use nginx nDeploy version as reverse proxy.

1.
My resolver.conf is as follow for performance, and data privacy :
127.0.0.1
213.186.33.99
This is given by my provider : 213.186.33.99, this is a CDN popped worldwide IP of their network, so it can't be the issue

2.
Was added this in my /etc/host file
178.255.83.1 ocsp.comodoca.com
Just now, ocsp.comodoca.com is still well resolving to 178.255.83.1

3.
I talked to cpanel support :
IPV6 is setup by default on cpanel server, what I did is adding an ipv6 range, but no accounts have any ipv6 allocated yet. There is no issue with this

NB
uname -a result is not correct with kernelcare, server is uptodate

Change History (9)

comment:1 by John Carne, 4 years ago

I can give a sample of actual domain ssl with comodo cert, but need this to be private post:

/etc/nginx/sites-enabled/domain_SSL.conf

comment:2 by Roman Arutyunyan, 4 years ago

Nginx internal resolver does not read /etc/hosts file.
Please try to resolve the domain from command line:

dig @213.186.33.99 ocsp.comodoca.com

comment:3 by John Carne, 4 years ago

Here is result :

root@web1 [~]# dig @213.186.33.99 ocsp.comodoca.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6_7.6 <<>> @213.186.33.99 ocsp.comod oca.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 68
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 8

;; QUESTION SECTION:
;ocsp.comodoca.com. IN A

;; ANSWER SECTION:
ocsp.comodoca.com. 88 IN A 178.255.83.1

;; AUTHORITY SECTION:
comodoca.com. 66372 IN NS ns0.comododns.com.
comodoca.com. 66372 IN NS ns0.comododns.net.
comodoca.com. 66372 IN NS ns1.comododns.com.
comodoca.com. 66372 IN NS ns1.comododns.net.

;; ADDITIONAL SECTION:
ns0.comododns.com. 13179 IN A 91.209.196.4
ns0.comododns.com. 74812 IN AAAA 2a02:1788:0:200::5bd1:c404
ns0.comododns.net. 160910 IN A 199.66.200.4
ns0.comododns.net. 160910 IN AAAA 2a02:1788:0:600::c742:c804
ns1.comododns.com. 13179 IN A 199.66.200.5
ns1.comododns.com. 120270 IN AAAA 2a02:1788:0:600::c742:c805
ns1.comododns.net. 160910 IN A 91.209.196.5
ns1.comododns.net. 160910 IN AAAA 2a02:1788:0:200::5bd1:c405

;; Query time: 2 msec
;; SERVER: 213.186.33.99#53(213.186.33.99)
;; WHEN: Sat Feb 27 14:31:34 2016
;; MSG SIZE rcvd: 322

comment:4 by John Carne, 4 years ago

We have same issue with another ssl provider :
2016/02/27 15:17:15 [error] 996880#996880: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get issuer certificate) while requesting certificate status, responder: gv.symcd.com

comment:5 by John Carne, 4 years ago

Found this :
https://trac.nginx.org/nginx/ticket/553


Most likely reason for the problem you are seeing is broken AAAA address resolution somewhere in your setup. Your nginx is compiled with IPv6 and will try to resolve both A and AAAA addresses, and the message indicate that one of the DNS request (either for A or AAAA records) times out.
I've just tested with OCSP responder set to rapidssl-ocsp.geotrust.com, and it resolves fine here without any problems.

comment:6 by John Carne, 4 years ago

after checking i realize that neither my hostname, neither both dns has AAAA entries, I have entered them in DNS zone of hostname along with A record, for now I see no change

comment:7 by John Carne, 4 years ago

I'm doing again trying setting these AAAA records

comment:8 by Maxim Dounin, 4 years ago

Resolution: invalid
Status: newclosed

This doesn't looks like an error in nginx. If you are looking for support, please consider using mailing list.

comment:9 by John Carne, 4 years ago

Can you prove it ?

Note: See TracTickets for help on using tickets.