OCSP failed (111: Connection refused) while requesting certificate status

In the last few days this message is logged by my Nginx-1.16.1 instance[0] a few times a day:

Sep 28 05:13:54 alice nginx[764]: 2019/09/28 05:13:54 [error] 787#787: OCSP
  responder prematurely closed connection while requesting certificate status,
  responder: ocsp.int-x3.letsencrypt.org, peer: [2600:1406:34::b819:3864]:80,
  certificate: "/etc/ssl/private/letsencrypt-hopyard.pem"

My webserver is reachable and there’s no connection issue for now, it’s just that the OCSP endpoint appears to be unreachable at times. However, letsencrypt.status.io reports that all is well. When I test it now, the OCSP endpoints are all reachable from the webserver machine (IPv4 works too):

$ ncat -vz ocsp.int-x3.letsencrypt.org 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 2600:1406:34::b819:383c:80.
Ncat: 0 bytes sent, 0 bytes received in 0.05 seconds.

The closest relevant and recent (but closed) topic I found was OCSP responder not available using IPv6, so allow me to reach out to @ftiede – does this still happen?

Does anyone else see similar errors while contacting the OCSP endpoints?

[0] with ssl_stapling and ssl_stapling_verify both enabled for some time now

I’m afraid my problem is different from yours, as in my case there wasn’t even a handshake, the connection to the responder never came to be due to a routing misconfiguration on the provider network level.

Also, you are using an entirely different IPv6 range than I do, probably due to different geo location.

To answer your question short: No, it doesn’t happen to me anymore, but I still think that’s for another reason than your problem.

OK, thank you for clarifying and for responding!

Anyone else with similar log entries?

So, the messages stopped, must have been a temporary problem then.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.