OCSP responder problems

mastercool · January 7, 2021, 3:19pm

My nginx server gets OCSP errors for several days now. I'm not sure if the OCSP responder is unstable or never works.
Example log lines:

2021/01/07 13:11:08 [error] 20866#20866: recv() failed (110: Connection timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.55.163.68:80, certificate: "/etc/nginx/ssl/ipv6.ipv6-test.molitor-dietzel.de.crt"
2021/01/07 13:11:08 [error] 20866#20866: OCSP responder prematurely closed connection while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org, peer: 23.55.163.68:80, certificate: "/etc/nginx/ssl/ipv6.ipv6-test.molitor-dietzel.de.crt"
2021/01/07 13:11:16 [error] 20866#20866: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.55.163.58:80, certificate: "/etc/nginx/ssl/bad.tlsa.molitor-dietzel.de.crt"
2021/01/07 13:11:16 [error] 20866#20866: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 23.55.163.58:80, certificate: "/etc/nginx/ssl/bad.tlsa.molitor-dietzel.de.crt"

petercooperjr · January 7, 2021, 3:35pm

I'm assuming this is errors from your server trying to do OCSP stapling?

Can you access r3.o.lencr.org from that server? What do you see when running something like

curl -v http://r3.o.lencr.org/

mastercool · January 7, 2021, 3:51pm

Yes, I'm trying to staple the ocsp response.
The curl output:

# curl -v http://r3.o.lencr.org/
* Expire in 0 ms for 6 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 0 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 1 ms for 1 (transfer 0x557274b02f90)
* Expire in 4 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 2 ms for 1 (transfer 0x557274b02f90)
* Expire in 4 ms for 1 (transfer 0x557274b02f90)
* Expire in 3 ms for 1 (transfer 0x557274b02f90)
* Expire in 3 ms for 1 (transfer 0x557274b02f90)
* Expire in 4 ms for 1 (transfer 0x557274b02f90)
* Expire in 4 ms for 1 (transfer 0x557274b02f90)
* Expire in 4 ms for 1 (transfer 0x557274b02f90)
* Expire in 8 ms for 1 (transfer 0x557274b02f90)
* Expire in 5 ms for 1 (transfer 0x557274b02f90)
* Expire in 5 ms for 1 (transfer 0x557274b02f90)
* Expire in 8 ms for 1 (transfer 0x557274b02f90)
* Expire in 5 ms for 1 (transfer 0x557274b02f90)
* Expire in 5 ms for 1 (transfer 0x557274b02f90)
* Expire in 8 ms for 1 (transfer 0x557274b02f90)
* Expire in 7 ms for 1 (transfer 0x557274b02f90)
* Expire in 7 ms for 1 (transfer 0x557274b02f90)
* Expire in 9 ms for 1 (transfer 0x557274b02f90)
*   Trying 23.55.163.58...
* TCP_NODELAY set
* Expire in 149986 ms for 3 (transfer 0x557274b02f90)
* Expire in 200 ms for 4 (transfer 0x557274b02f90)
* Connected to r3.o.lencr.org (23.55.163.58) port 80 (#0)
> GET / HTTP/1.1
> Host: r3.o.lencr.org
> User-Agent: curl/7.64.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 0
< Cache-Control: max-age=20211
< Expires: Thu, 07 Jan 2021 21:26:32 GMT
< Date: Thu, 07 Jan 2021 15:49:41 GMT
< Connection: keep-alive
< 
* Connection #0 to host r3.o.lencr.org left intact

rg305 · January 7, 2021, 8:05pm

I'm thinking this may have something to do with the MTU size and the path along the way.

To see if the problem is with that destination network, you could (temporarily) try to use a different IP for ocsp.int-x3.letsencrypt.org & r3.o.lencr.org.

Here is what I get from where I am:

ocsp.int-x3.letsencrypt.org     canonical name = ocsp.int-x3.letsencrypt.org.edgesuite.net.
ocsp.int-x3.letsencrypt.org.edgesuite.net       canonical name = a771.dscq.akamai.net.
Name:   a771.dscq.akamai.net
Address: 23.45.51.153
Name:   a771.dscq.akamai.net
Address: 23.45.51.162
Name:   a771.dscq.akamai.net
Address: 2600:1417:27::17ce:d768
Name:   a771.dscq.akamai.net
Address: 2600:1417:27::17ce:d758

r3.o.lencr.org  canonical name = o.lencr.edgesuite.net.
o.lencr.edgesuite.net   canonical name = a1887.dscq.akamai.net.
Name:   a1887.dscq.akamai.net
Address: 23.45.51.139
Name:   a1887.dscq.akamai.net
Address: 23.45.51.121
Name:   a1887.dscq.akamai.net
Address: 2600:1417:27::17ce:d77a
Name:   a1887.dscq.akamai.net
Address: 2600:1417:27::17ce:d780

petercooperjr · January 8, 2021, 1:54am

Any chance it might be related to this OCSP issue?

JamesLE · January 8, 2021, 1:59am

It wouldn’t be this issue; the timing doesn’t line up.