Host not found in OCSP responder [nginx]

Help
1

Hey guys.

I set up a domain hosted on GCP. All’s going fine, but I can’t seem to get OCSP working. Nginx complains saying "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/letsencrypt/live/<domain>/fullchain.pem".

Here is the config so far.

...
ssl_stapling                on;
ssl_stapling_verify         on;
ssl_trusted_certificate     /etc/letsencrypt/live/<domain>/chain.pem;
resolver                    8.8.8.8 8.8.4.4 valid=43200s;
...

I can verify that OCSP is working when the client fetches it, as the test succeeds in Qualys SSL test. I can also ping and verify the chain from my servers CLI (openssl ocsp -issuer chain.pem -cert fullchain.pem -text -url http://ocsp.int-x3.letsencrypt.org/).
Domain is mythreya.dev, if that helps
I am kinda new to this and am learning along the way (domains, servers, HTTPS, keys etc…). What could I be missing?

2

This is a DNS failure within nginx. Can your server definitely talk to 8.8.8.8?

dig @8.8.8.8 ocsp.int-x3.letsencrypt.org
getent hosts ocsp.int-x3.letsencrypt.org
3

DIG response:

; <<>> DiG 9.11.4-3ubuntu5.3-Ubuntu <<>> @8.8.8.8 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29527
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.   IN      A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 454 IN     CNAME   ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 1735 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.   19      IN      A       184.25.56.154
a771.dscq.akamai.net.   19      IN      A       184.25.56.123

;; Query time: 21 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 07 07:46:11 UTC 2019
;; MSG SIZE  rcvd: 174

Hosts file:

2600:1402:f000::173f:f8b2 a771.dscq.akamai.net ocsp.int-x3.letsencrypt.org ocsp.int-x3.letsencrypt.org.edgesuite.net
2600:1402:f000::173f:f8c8 a771.dscq.akamai.net ocsp.int-x3.letsencrypt.org ocsp.int-x3.letsencrypt.org.edgesuite.net
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.