Ocsp.int-x3.letsencrypt.org could not be resolved


#1

I’m getting 2 errors every minute in our websites nginx error log, for the past 2 days.

ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/data/disk/o1/config/server_master/ssl.d/mydomain.com/openssl_chain.crt

There are lots of posts out there suggesting turning off stapling/OCSP but this surely is just a connection issue not a software issue? So i tried this, both on my local pc and on the server in question…
curl -6 -IL ocsp.int-x3.letsencrypt.org
both times i got
curl: (7) Couldn't connect to server

It seems similar to this post but its closed Ocsp.int-x3.letsencrypt.org could not be resolved

is the ocsp.int-x3.letsencrypt.org server working ok ?


#2

Hi,

That seems to be an issue of your web server configturation… Can you share us some part of your Nginx vHost (specifically resolver x.x.x.x part?)

Thank you


#3

Hi stevenzhu, Google i think.

resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;


#4

Hi @lhaithaes,

Yup!

What does running these two commands on your affected server show?

  • dig ocsp.int-x3.letsencrypt.org AAAA
  • dig @8.8.8.8 ocsp.int-x3.letsencrypt.org AAAA

To be 100% clear: does your server have a working IPv6 configuration? You’re using curl -6 to debug which indicates yes but I want to make sure that was the case.

@JamesLE Can you suggest any further debugging steps?


#5
# dig ocsp.int-x3.letsencrypt.org AAAA

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> ocsp.int-x3.letsencrypt.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37582
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ocsp.int-x3.letsencrypt.org.   IN      AAAA

;; ANSWER SECTION:
ocsp.int-x3.letsencrypt.org. 60 IN      CNAME   ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 60 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.   1       IN      AAAA    2a02:26f0:71::5c7b:4898
a771.dscq.akamai.net.   1       IN      AAAA    2a02:26f0:71::5c7b:48b0

;; Query time: 7 msec
;; SERVER: 172.31.0.2#53(172.31.0.2)
;; WHEN: Tue Jul 24 12:54:38 UTC 2018
;; MSG SIZE  rcvd: 198

#6
# dig @8.8.8.8 ocsp.int-x3.letsencrypt.org AAAA

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> @8.8.8.8 ocsp.int-x3.letsencrypt.org AAAA
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

#7

Hmm. This error indicates you aren’t able to contact the recursive resolver you have configured in your nginx settings (8.8.8.8) and makes it seem like your server has general networking problems beyond anything specific to Let’s Encrypt.

Can you share the output of these commands run on the server?:

  • ping -c5 8.8.8.8
  • curl -I http://example.com

#8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms

and

url -I http://example.com
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 24 Jul 2018 13:03:44 GMT
Etag: "1541025663"
Expires: Tue, 31 Jul 2018 13:03:44 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (dca/24A7)
X-Cache: HIT
Content-Length: 606

#9

ok some issue between me and google then. i’ll try someone different perhaps the new cloud flare thing 1.1.1.1


#10

Did you run the curl -I http://example.com command I asked about as well?

It might be that your server has general connectivity issues with the Internet generally and 1.1.1.1 won’t work either. Edit: I see now you shared it and it did seem to work.

Switching to 1.1.1.1 might solve your problem but its pretty curious you can’t reach 8.8.8.8 - that might be a symptom of a larger problem.


#11

Most definitely, although I’m not sure what that could be at this point, I’m using a bundled install for this project. ill try the resolver change for now and come back.


#12

Sounds good! Best of luck :slight_smile:


#13

Im going back and forth with Amazon support. It could be a standard EC2 issue. ill close this for now.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.