No resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

meulie · October 20, 2016, 10:55am

Seeing quite a few of these in my server error log:

 no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

Should I worry about these?
How do I get rid of them?

mnordhoff · October 20, 2016, 11:04am

Nginx requires a resolver directive be set to use OCSP stapling.

For example:

resolver 127.0.0.1;

Due to the resolver’s obsolete, insecure design, i would advise being cautious about using remote resolvers, though OCSP verification more or less mitigates any security risk from cache poisoning the OCSP server.

ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

If you don’t want to set resolver, your other option is to disable OCSP stapling:

ssl_stapling off;

meulie · October 20, 2016, 12:58pm

That does the trick! Thanks!

system · November 19, 2016, 1:04pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
No resolver definded to resolv Help	10	4095	February 17, 2019
Ocsp.int-x3.letsencrypt.org could not be resolved Issuance Tech	13	10963	September 2, 2018
Ocsp.int-x3.letsencrypt.org error Aide (en français)	3	1103	April 17, 2020
Will/does the letsencrypt client create a cert chain usable with OCSP stapling? Server	18	25527	January 14, 2016
Ssl_stapling error nginx Server	2	5725	April 1, 2018

No resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org

Related topics