Opened 7 years ago
Closed 7 years ago
#1363 closed defect (duplicate)
OCSP responder timed out on IPv6 only server
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | other | Version: | 1.10.x |
Keywords: | Cc: | ||
uname -a: | Linux nl01-v6 2.6.32-48-pve #1 SMP Fri Dec 23 10:22:54 CET 2016 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.10.3
built with OpenSSL 1.1.0f 25 May 2017 TLS SNI support enabled configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-2tpxfc/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_mp4_module --with-http_perl_module=dynamic --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-http_xslt_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/headers-more-nginx-module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-cache-purge --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-development-kit --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/ngx-fancyindex --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nchan --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-lua --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-upload-progress --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-2tpxfc/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module |
Description
This is the error message:
OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
The OSCP responder seems to have A and AAAA records:
$ nslookup ocsp.int-x3.letsencrypt.org 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: ocsp.int-x3.letsencrypt.org canonical name = ocsp.int-x3.letsencrypt.org.edgesuite.net. ocsp.int-x3.letsencrypt.org.edgesuite.net canonical name = a771.dscq.akamai.net. Name: a771.dscq.akamai.net Address: 2.21.242.245 Name: a771.dscq.akamai.net Address: 2.21.242.204 Name: a771.dscq.akamai.net Address: 2a02:26f0:10::5c7a:d419 Name: a771.dscq.akamai.net Address: 2a02:26f0:10::5c7a:d410
For me this seems as nginx tries to connect by IPv4 which can't work as the server this is running at is IPv6 only.
So either nginx should at least try a fallback to IPv6 if IPv4 fails or offer an option for the resolver to disable IPv4 (ipv4=off - we have the exact same switch for IPv6 already).
Note:
See TracTickets
for help on using tickets.
Duplicate of #1330.