Let'sEncrypt + nginx on a IPv6 only server = OCSP responder timed out

V10lator · August 23, 2017, 9:06am

I’m not sure if this is the fault of ocsp.int-x3.letsencrypt.org or nginx but I’m getting this (error log of nginx) on aIPv6 only server:

OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

https://letsencrypt.status.io/ shows no problem with the server so I wonder if it’s the IPv6 connection or if nginx does something wrong (trying to connect by IPv4). Any hints how to debug this?

Phil · August 23, 2017, 2:02pm

@V10lator

Which client are you using to try and acquire a cert?

Are you able to successfully curl -6 -IL ocsp.int-x3.letsencrypt.org from your server?

Can you post your nginx vhost configuration please?

V10lator · August 25, 2017, 9:43am

Aquiring a certificate is not the problem here. It’s about OCSP ( https://tools.ietf.org/html/rfc6960 ).

$ curl -6 -IL ocsp.int-x3.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Cache-Control: max-age=24243
Expires: Fri, 25 Aug 2017 16:20:56 GMT
Date: Fri, 25 Aug 2017 09:36:53 GMT
Connection: keep-alive

Again: Acquiring/renewing a certificate works just fine, so the nginx vhost configuration is good. If anything you might want to see this config:

$ cat /etc/nginx/conf.d/ocsp.conf
resolver [2001:4860:4860::8888] [2001:4860:4860::8844] ipv6=on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/[CENSORED]/fullchain.pem;

Anyway, after reporting this to nginx ( https://trac.nginx.org/nginx/ticket/1363 ) I see that this is already a known bug ( https://trac.nginx.org/nginx/ticket/1330 ).

//EDIT: A workaround (from the nginx bug report) is to change /etc/nginx/conf.d/ocsp.conf to:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/[CENSORED]/fullchain.pem;
ssl_stapling_responder http://[::1]:8082/;

And adding a file to /etc/nginx/sites-enabled/ with the following content:

server {
        listen [::1]:8082 ipv6only=on default_server;
        server_name _;

        location / {
                proxy_pass http://ocsp.int-x3.letsencrypt.org;
        }
}

//EDIT²: Another workaround is to use this DNS-Proxy (based on https://peteris.rocks/blog/dns-proxy-server-in-node-js-with-ui/ ) which implements https://tools.ietf.org/html/draft-hazeyama-sunset4-dns-a-filter-00

//EDIT³: New codes for the DNS proxy: https://pastebin.com/2NTfJu84

system · September 24, 2017, 9:43am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.