Let'sEncrypt + nginx on a IPv6 only server = OCSP responder timed out

I’m not sure if this is the fault of ocsp.int-x3.letsencrypt.org or nginx but I’m getting this (error log of nginx) on aIPv6 only server:

OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

https://letsencrypt.status.io/ shows no problem with the server so I wonder if it’s the IPv6 connection or if nginx does something wrong (trying to connect by IPv4). Any hints how to debug this?


Which client are you using to try and acquire a cert?

Are you able to successfully curl -6 -IL ocsp.int-x3.letsencrypt.org from your server?

Can you post your nginx vhost configuration please?

Aquiring a certificate is not the problem here. It’s about OCSP ( https://tools.ietf.org/html/rfc6960 ).

$ curl -6 -IL ocsp.int-x3.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Content-Type: text/plain; charset=utf-8
Content-Length: 0
Cache-Control: max-age=24243
Expires: Fri, 25 Aug 2017 16:20:56 GMT
Date: Fri, 25 Aug 2017 09:36:53 GMT
Connection: keep-alive

Again: Acquiring/renewing a certificate works just fine, so the nginx vhost configuration is good. If anything you might want to see this config:

$ cat /etc/nginx/conf.d/ocsp.conf
resolver [2001:4860:4860::8888] [2001:4860:4860::8844] ipv6=on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/[CENSORED]/fullchain.pem;

Anyway, after reporting this to nginx ( https://trac.nginx.org/nginx/ticket/1363 ) I see that this is already a known bug ( https://trac.nginx.org/nginx/ticket/1330 ).

//EDIT: A workaround (from the nginx bug report) is to change /etc/nginx/conf.d/ocsp.conf to:

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/[CENSORED]/fullchain.pem;
ssl_stapling_responder http://[::1]:8082/;

And adding a file to /etc/nginx/sites-enabled/ with the following content:

server {
        listen [::1]:8082 ipv6only=on default_server;
        server_name _;

        location / {
                proxy_pass http://ocsp.int-x3.letsencrypt.org;

//EDIT²: Another workaround is to use this DNS-Proxy (based on https://peteris.rocks/blog/dns-proxy-server-in-node-js-with-ui/ ) which implements https://tools.ietf.org/html/draft-hazeyama-sunset4-dns-a-filter-00

//EDIT³: New codes for the DNS proxy: https://pastebin.com/2NTfJu84

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.