Ocsp.int-x3.letsencrypt.org could not be resolved

lhaithaes · July 24, 2018, 11:30am

I’m getting 2 errors every minute in our websites nginx error log, for the past 2 days.

ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/data/disk/o1/config/server_master/ssl.d/mydomain.com/openssl_chain.crt

There are lots of posts out there suggesting turning off stapling/OCSP but this surely is just a connection issue not a software issue? So i tried this, both on my local pc and on the server in question…
curl -6 -IL ocsp.int-x3.letsencrypt.org
both times i got
curl: (7) Couldn't connect to server

It seems similar to this post but its closed Ocsp.int-x3.letsencrypt.org could not be resolved

is the ocsp.int-x3.letsencrypt.org server working ok ?

stevenzhu · July 24, 2018, 12:16pm

Hi,

That seems to be an issue of your web server configturation… Can you share us some part of your Nginx vHost (specifically resolver x.x.x.x part?)

Thank you

lhaithaes · July 24, 2018, 12:41pm

Hi stevenzhu, Google i think.

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

cpu · July 24, 2018, 12:52pm

Hi @lhaithaes,

Yup!

What does running these two commands on your affected server show?

dig ocsp.int-x3.letsencrypt.org AAAA
dig @8.8.8.8 ocsp.int-x3.letsencrypt.org AAAA

To be 100% clear: does your server have a working IPv6 configuration? You're using curl -6 to debug which indicates yes but I want to make sure that was the case.

@JamesLE Can you suggest any further debugging steps?

lhaithaes · July 24, 2018, 12:55pm

# dig ocsp.int-x3.letsencrypt.org AAAA

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> ocsp.int-x3.letsencrypt.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37582
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.   IN      AAAA

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 60 IN      CNAME   ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 60 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.   1       IN      AAAA    2a02:26f0:71::5c7b:4898
a771.dscq.akamai.net.   1       IN      AAAA    2a02:26f0:71::5c7b:48b0

;; Query time: 7 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Tue Jul 24 12:54:38 UTC 2018
;; MSG SIZE  rcvd: 198

lhaithaes · July 24, 2018, 12:56pm

# dig @8.8.8.8 ocsp.int-x3.letsencrypt.org AAAA

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> @8.8.8.8 ocsp.int-x3.letsencrypt.org AAAA
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

cpu · July 24, 2018, 1:00pm

Hmm. This error indicates you aren’t able to contact the recursive resolver you have configured in your nginx settings (8.8.8.8) and makes it seem like your server has general networking problems beyond anything specific to Let’s Encrypt.

Can you share the output of these commands run on the server?:

ping -c5 8.8.8.8
curl -I http://example.com

lhaithaes · July 24, 2018, 1:04pm

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms

and

url -I http://example.com
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 24 Jul 2018 13:03:44 GMT
Etag: "1541025663"
Expires: Tue, 31 Jul 2018 13:03:44 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (dca/24A7)
X-Cache: HIT
Content-Length: 606

lhaithaes · July 24, 2018, 1:06pm

ok some issue between me and google then. i’ll try someone different perhaps the new cloud flare thing 1.1.1.1

cpu · July 24, 2018, 1:09pm

~~Did you run the curl -I http://example.com command I asked about as well?~~

~~It might be that your server has general connectivity issues with the Internet generally and 1.1.1.1 won't work either.~~ Edit: I see now you shared it and it did seem to work.

Switching to 1.1.1.1 might solve your problem but its pretty curious you can't reach 8.8.8.8 - that might be a symptom of a larger problem.

lhaithaes · July 24, 2018, 1:20pm

Most definitely, although I’m not sure what that could be at this point, I’m using a bundled install for this project. ill try the resolver change for now and come back.

cpu · July 24, 2018, 1:22pm

Sounds good! Best of luck

lhaithaes · August 3, 2018, 3:36pm

Im going back and forth with Amazon support. It could be a standard EC2 issue. ill close this for now.

system · September 2, 2018, 3:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.