No resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org


#1

Seeing quite a few of these in my server error log:

 no resolver defined to resolve ocsp.int-x3.letsencrypt.org while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
  • Should I worry about these?
  • How do I get rid of them?

#2

Nginx requires a resolver directive be set to use OCSP stapling.

For example:

resolver 127.0.0.1;

Due to the resolver’s obsolete, insecure design, i would advise being cautious about using remote resolvers, though OCSP verification more or less mitigates any security risk from cache poisoning the OCSP server.

ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

If you don’t want to set resolver, your other option is to disable OCSP stapling:

ssl_stapling off;

#3

That does the trick! Thanks! :slight_smile:


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.