Cert status resolver error in nginx logs

Help
1

Hi. My SSL cert is installed, and seems to be working properly, but I have some errors related to it in my nginx logs, that I haven't been able to figure out on my own. The errors are:

2022/08/07 14:07:33 [error] 1564#1564: send() failed (111: Connection refused) while resolving, resolver: 127.0.0.1:53
2022/08/07 14:07:33 [error] 1564#1564: send() failed (111: Connection refused) while resolving, resolver: 127.0.0.1:53
2022/08/07 14:07:38 [error] 1564#1564: r3.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/ssl/my.domain.example/fullchain.pem"

I have been searching for a fix from the perspective of nginx, but I am overwhelmed by the amount of information, and what I have tried, hasn't fixed the problem. I am using Ubuntu 20.04 server on a VPS.

2

Check your DNS system
OR
Use a public DNS system

3 Likes
3

Thanks for your reply. I'm sorry though, but could you be more specific? I seem to have a couple of files that concern DNS configs. The netplan yaml file is user editable, but the resolv.conf is dynamic. Here is output of one command:
resolvectl status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 209.222.18.222
DNS Servers: 209.222.18.222
209.222.18.218
8.8.8.8
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test

Link 3 (tun0)
Current Scopes: none
DefaultRoute setting: no
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no

Link 2 (eth0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNS Servers: 185.12.64.1
185.12.64.2

4

systemd-resolved usually listens on 127.0.0.53:53 but your nginx tries to query 127.0.0.1:53.

2 Likes
5

Ok, I was wondering why the discrepancy between what I have, and what I've seen when searching this problem online. Should this address be changed in my nginx configs somewhere?

6

I'd grep nginx configs for resolver and see what comes up

1 Like
7

Alright, though I am actually finding conflicting information online, with some suggesting that my local resolver address is correct :stuck_out_tongue:

8

The logs you posted beg to differ. As in nothing is listening on 127.0.0.1:53. Show us the full output of dig google.com. System resolver adress should be listed in this output.

1 Like
9

dig google.com

; <<>> DiG 9.16.1-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11646
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 300 IN A 172.253.122.100
google.com. 300 IN A 172.253.122.102
google.com. 300 IN A 172.253.122.101
google.com. 300 IN A 172.253.122.138
google.com. 300 IN A 172.253.122.113
google.com. 300 IN A 172.253.122.139

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Aug 08 00:05:10 PDT 2022
;; MSG SIZE rcvd: 135

10

Your system uses this server for DNS queries. Try doing dig google.com @127.0.0.53 to see if resolved stub resolver is functional.

What does your nginx use in its resolver directive?

2 Likes
11

dig google.com @127.0.0.53

; <<>> DiG 9.16.1-Ubuntu <<>> google.com @127.0.0.53
;; global options: +cmd
;; connection timed out; no servers could be reached

Where would I find the information about the nginx resolver directive?

12

resolved resolver appears to be disabled. I would recommend enabling it and switching to it in your nginx conf.

grep resolver /etc/nginx

1 Like
13 
sudo grep -nr 'resolver' /etc/nginx/
/etc/nginx/snippets/ssl-params.conf:9:resolver 127.0.0.1 valid=300s;
/etc/nginx/snippets/ssl-params.conf:10:resolver_timeout 5s;

sudo cat snippets/ssl-params.conf 
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers *censored*;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
#add_header X-Frame-Options DENY;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

I don't understand what you mean by enabling and switching to it. It isn't commented out, or set to disabled in this file.

14

Here it clearly states nginx has 127.0.0.1 set as resolver. Please set this value to the IP address of a valid DNS resolver.

4 Likes
15

Please show the output of:
netstat -pan | grep 127 | grep 53

3 Likes
16

There is no output returned, either as user or root.

17

I have changed this to 8.8.8.8, but I don't think it has solved my issue. Also, looking at /etc/resolv.conf, it still says that 127.0.0.53 is the systemd-resolved stub resolver.

Edit: Maybe it has changed the issue? Since my last boot almost 2 hours ago, I haven't gotten the same error in my nginx log, but I have a different one from the time of boot:

2022/08/08 11:00:38 [warn] 684#684: "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/etc/nginx/ssl/my.example.site/fullchain.pem"
18

Since netstat doesn't show that to be running, I would change that to something that is working.

3 Likes
19

When it is running, it should look like:

tcp  0  0 127.0.0.53:53    0.0.0.0:*   LISTEN   805/systemd-resolve
udp  0  0 127.0.0.53:53    0.0.0.0:*            805/systemd-resolve
2 Likes
20

Just came home and here is what the last few lines of my nginx error log look like:

2022/08/08 10:41:30 [error] 1110#1110: r3.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: r3.o.lencr.org, certificate: "/etc/nginx/ssl/darkstar.netlib.re/fullchain.pem"
2022/08/08 11:00:38 [warn] 684#684: "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/etc/nginx/ssl/darkstar.netlib.re/fullchain.pem"
2022/08/08 16:57:20 [warn] 686#686: "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/etc/nginx/ssl/darkstar.netlib.re/fullchain.pem"
2022/08/08 18:50:46 [crit] 1219#1219: *4515 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 58.45.28.50, server: 0.0.0.0:443
2022/08/08 18:58:53 [crit] 1219#1219: *4827 SSL_do_handshake() failed (SSL: error:141CF06C:SSL routines:tls_parse_ctos_key_share:bad key share) while SSL handshaking, client: 118.123.105.85, server: 0.0.0.0:443

Here is what my /etc/resolv.conf:

sudo cat /etc/resolv.conf 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 8.8.8.8
nameserver 209.222.18.222
nameserver 209.222.18.218
nameserver 8.8.8.8