Ocsp.int-x3.letsencrypt.org could not be resolved


I’m getting 2 errors every minute in our websites nginx error log, for the past 2 days.

ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, certificate: "/data/disk/o1/config/server_master/ssl.d/mydomain.com/openssl_chain.crt

There are lots of posts out there suggesting turning off stapling/OCSP but this surely is just a connection issue not a software issue? So i tried this, both on my local pc and on the server in question…
curl -6 -IL ocsp.int-x3.letsencrypt.org
both times i got
curl: (7) Couldn't connect to server

It seems similar to this post but its closed Ocsp.int-x3.letsencrypt.org could not be resolved

is the ocsp.int-x3.letsencrypt.org server working ok ?



That seems to be an issue of your web server configturation… Can you share us some part of your Nginx vHost (specifically resolver x.x.x.x part?)

Thank you


Hi stevenzhu, Google i think.

resolver valid=300s;
resolver_timeout 5s;


Hi @lhaithaes,


What does running these two commands on your affected server show?

  • dig ocsp.int-x3.letsencrypt.org AAAA
  • dig @ ocsp.int-x3.letsencrypt.org AAAA

To be 100% clear: does your server have a working IPv6 configuration? You’re using curl -6 to debug which indicates yes but I want to make sure that was the case.

@JamesLE Can you suggest any further debugging steps?

# dig ocsp.int-x3.letsencrypt.org AAAA

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> ocsp.int-x3.letsencrypt.org AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37582
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;ocsp.int-x3.letsencrypt.org.   IN      AAAA

ocsp.int-x3.letsencrypt.org. 60 IN      CNAME   ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net. 60 IN CNAME a771.dscq.akamai.net.
a771.dscq.akamai.net.   1       IN      AAAA    2a02:26f0:71::5c7b:4898
a771.dscq.akamai.net.   1       IN      AAAA    2a02:26f0:71::5c7b:48b0

;; Query time: 7 msec
;; WHEN: Tue Jul 24 12:54:38 UTC 2018
;; MSG SIZE  rcvd: 198

# dig @ ocsp.int-x3.letsencrypt.org AAAA

; <<>> DiG 9.9.5-9+deb8u15-Debian <<>> @ ocsp.int-x3.letsencrypt.org AAAA
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


Hmm. This error indicates you aren’t able to contact the recursive resolver you have configured in your nginx settings ( and makes it seem like your server has general networking problems beyond anything specific to Let’s Encrypt.

Can you share the output of these commands run on the server?:

  • ping -c5
  • curl -I http://example.com

PING ( 56(84) bytes of data.

--- ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4030ms


url -I http://example.com
HTTP/1.1 200 OK
Content-Encoding: gzip
Accept-Ranges: bytes
Cache-Control: max-age=604800
Content-Type: text/html
Date: Tue, 24 Jul 2018 13:03:44 GMT
Etag: "1541025663"
Expires: Tue, 31 Jul 2018 13:03:44 GMT
Last-Modified: Fri, 09 Aug 2013 23:54:35 GMT
Server: ECS (dca/24A7)
X-Cache: HIT
Content-Length: 606


ok some issue between me and google then. i’ll try someone different perhaps the new cloud flare thing


Did you run the curl -I http://example.com command I asked about as well?

It might be that your server has general connectivity issues with the Internet generally and won’t work either. Edit: I see now you shared it and it did seem to work.

Switching to might solve your problem but its pretty curious you can’t reach - that might be a symptom of a larger problem.


Most definitely, although I’m not sure what that could be at this point, I’m using a bundled install for this project. ill try the resolver change for now and come back.


Sounds good! Best of luck :slight_smile:


Im going back and forth with Amazon support. It could be a standard EC2 issue. ill close this for now.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.