OCSP Responder test error: bad hostname lookup

turnipcyberveggie · April 28, 2017, 11:58am

When making a change to an nginx web server running on Ubuntu, I tested the nginx configuration and received the following warning:

nginx: [warn] “ssl_stapling” ignored, host not found in OCSP responder “ocsp.int-x3.letsencrypt.org/”

I’d set up the web server a few months ago and had been updating the nginx configuration without seeing this warning until yesterday.

I started poking around and tested OCSP using openssl.

I ran the following command:

sudo openssl ocsp -issuer chain.pem -cert tm.pem -text -url http://ocsp.int-x3.letsencrypt.org/

with the following results

OCSP Request Data:
Version: 1 (0x0)
Requestor List:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03BD1754FBA80442EFE1CE2735DC96C598CF
Request Extensions:
    OCSP Nonce: 
        0410DC5C7354CF0C9838F66506F58A081AE3
Error connecting BIO
Error querying OCSP responder
140605810423448:error:2006A066:BIO routines:BIO_get_host_ip:bad hostname lookup:b_sock.c:146:host=ocsp.int-x3.letsencrypt.org

The website seems to work fine.

I can’t find much info about the error. I don’t know what changed.

Thanks.

cpu · April 28, 2017, 12:20pm

Hi @turnipcyberveggie,

I’m not sure what the cause of your Nginx problem is, but I can help you fix your openssl ocsp test command. You’re missing a few arguments:

-no_nonce - we don’t use OCSP nonces
-VAfile chain.pem - for validating the response signature
-header Host ocsp.int-x3.letsencrypt.org - the OpenSSL ocsp utility doesn’t send an HTTP host header, causing issues with our CDN.

So, all told it should look like:
openssl ocsp -no_nonce -issuer chain.pem -cert tm.pem -VAfile chain.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host ocsp.int-x3.letsencrypt.org

Does that work for you?

turnipcyberveggie · April 28, 2017, 12:27pm

@cpu: Same results. (And thanks for the help)

cpu · April 28, 2017, 12:30pm

Is the DNS on your test host working? What does dig ocsp.int-x3.letsencrypt.org look like?

turnipcyberveggie · April 28, 2017, 12:32pm

Hm… it would appear not:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; connection timed out; no servers could be reached

cpu · April 28, 2017, 12:35pm

Seems like the root of the problem!

Are you able to diagnose this yourself from here out? I would probably try replacing the upstream DNS servers with a well known public resolver as a first step (assuming you aren’t using one already). If that still fails it would probably point to a network issue.

turnipcyberveggie · April 28, 2017, 12:37pm

I got it. I’ll track it down from here. I don’t think its a Lets Encrypt issue. Thanks for the info @cpu.

cpu · April 28, 2017, 12:38pm

Happy to help! Good luck!

turnipcyberveggie · April 28, 2017, 2:13pm

To wrap things up for anyone who ends up here: I rebooted my server and all my problems went away. This was the 4th-ish reboot since the problem started so I’m not really clear what happened. Perhaps it was an issue with the host’s DNS.

system · May 28, 2017, 2:25pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.