Nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/ssl/certs/chained.pem"

marcoippolito · July 31, 2019, 5:17pm

Due to some conflicting installations of third-parties software in my Ubuntu 18.04.01 Server Edition I needed to wipe everything out and reinstall Ubuntu again (no network connection anymore).
I kept a copy of /etc/ssl/certs folder and /etc/letsenctypt folder , both of which I copied into the freshly installed U_buntu 18.04.01 Server system.

After reinstalling nginx server I checked its status and this is the output:

marco@pc:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-07-31 18:45:54 CEST; 5min ago
     Docs: man:nginx(8)
  Process: 980 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited,  
  status=0/SUCCESS)
  Process: 932 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, 
 status=0/SUCCESS)
 Main PID: 994 (nginx)
    Tasks: 9 (limit: 4915)
   CGroup: /system.slice/nginx.service
           ├─ 994 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─ 998 nginx: worker process
           ├─1000 nginx: worker process
           ├─1006 nginx: worker process
           ├─1007 nginx: worker process
           ├─1008 nginx: worker process
           ├─1009 nginx: worker process
           ├─1010 nginx: worker process
           └─1011 nginx: worker process

Jul 31 18:45:54 pc systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 31 18:45:54 pc nginx[932]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder 
  "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/ssl/certs/chained.pem"
Jul 31 18:45:54 pc nginx[980]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder 
  "ocsp.int-x3.letsencrypt.org" in the certificate "/etc/ssl/certs/chained.pem"
Jul 31 18:45:54 pc systemd[1]: Started A high performance web server and a reverse proxy server.

After reading this similar request: Host not found in OCSP responder [nginx]
I checked if the server can talk to 8.8.8.8 :

marco@pc:~$ dig @8.8.8.8 ocsp.int-x3.letsencrypt.org

; <<>> DiG 9.11.3-1ubuntu1.8-Ubuntu <<>> @8.8.8.8 ocsp.int-x3.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9840
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.	IN	A

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 1730 IN	CNAME	ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 18664 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.	19	IN	A	88.221.111.72 
a771.dscq.akamai.net.	19	IN	A	88.221.111.88

;; Query time: 58 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Jul 31 18:52:42 CEST 2019
;; MSG SIZE  rcvd: 174

marco@pc:~$ getent hosts ocsp.int-x3.letsencrypt.org
2a02:26f0:ad::58dd:6f58 a771.dscq.akamai.net ocsp.int-x3.letsencrypt.org ocsp.int-   
x3.letsencrypt.org.edgesuite.net
2a02:26f0:ad::58dd:6f48 a771.dscq.akamai.net ocsp.int-x3.letsencrypt.org ocsp.int-
x3.letsencrypt.org.edgesuite.net

What is the problem which causes nginx: [warn] “ssl_stapling” ignored, host not found in OCSP responder “ocsp.int-x3.letsencrypt.org” in the certificate “/etc/ssl/certs/chained.pem” ?

Marco

mnordhoff · July 31, 2019, 5:19pm

What is Nginx’s “resolver” setting set to?

marcoippolito · July 31, 2019, 5:52pm

Where can I find Nginx's "resolver" setting?
I checked in /etc/nginx/snippets/ but I actually I din't find any "resolver" settings.

I found in here: https://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-ubuntu-18-04/ that in /etc/nginx/snippets/ssl.conf the "resolver" is set. Should I create a similar file in /etc/nginx/snippets ?

Update: after inserting a similar ssl.conf in /etc/nginx/snippets the warnings disappeared :

marco@pc:/etc/nginx$ systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-07-31 20:05:34 CEST; 30s ago
     Docs: man:nginx(8)
  Process: 1979 ExecStop=/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
(code=exited, status=0/SUCCESS)
  Process: 2041 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, 
status=0/SUCCESS)
  Process: 2033 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, 
status=0/SUCCESS)
 Main PID: 2043 (nginx)
    Tasks: 9 (limit: 4915)
    CGroup: /system.slice/nginx.service
           ├─2043 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           ├─2045 nginx: worker process
           ├─2046 nginx: worker process
           ├─2048 nginx: worker process
           ├─2050 nginx: worker process
           ├─2051 nginx: worker process
           ├─2053 nginx: worker process
           ├─2054 nginx: worker process
           └─2056 nginx: worker process

Jul 31 20:05:34 pc systemd[1]: Starting A high performance web server and a reverse proxy server...
Jul 31 20:05:34 pc systemd[1]: Started A high performance web server and a reverse proxy server.

Thank you Matt for your suggestion @mnordhoff

system · August 30, 2019, 5:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.