OCSP Responder test error: bad hostname lookup

When making a change to an nginx web server running on Ubuntu, I tested the nginx configuration and received the following warning:

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org/"

I'd set up the web server a few months ago and had been updating the nginx configuration without seeing this warning until yesterday.

I started poking around and tested OCSP using openssl.

I ran the following command:

sudo openssl ocsp -issuer chain.pem -cert tm.pem -text -url http://ocsp.int-x3.letsencrypt.org/

with the following results

OCSP Request Data:
Version: 1 (0x0)
Requestor List:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 03BD1754FBA80442EFE1CE2735DC96C598CF
Request Extensions:
    OCSP Nonce: 
        0410DC5C7354CF0C9838F66506F58A081AE3
Error connecting BIO
Error querying OCSP responder
140605810423448:error:2006A066:BIO routines:BIO_get_host_ip:bad hostname lookup:b_sock.c:146:host=ocsp.int-x3.letsencrypt.org

The website seems to work fine.

I can't find much info about the error. I don't know what changed.

Thanks.

Hi @turnipcyberveggie,

I’m not sure what the cause of your Nginx problem is, but I can help you fix your openssl ocsp test command. You’re missing a few arguments:

  • -no_nonce - we don’t use OCSP nonces
  • -VAfile chain.pem - for validating the response signature
  • -header Host ocsp.int-x3.letsencrypt.org - the OpenSSL ocsp utility doesn’t send an HTTP host header, causing issues with our CDN.

So, all told it should look like:
openssl ocsp -no_nonce -issuer chain.pem -cert tm.pem -VAfile chain.pem -text -url http://ocsp.int-x3.letsencrypt.org/ -header Host ocsp.int-x3.letsencrypt.org

Does that work for you?

1 Like

@cpu: Same results. :frowning: (And thanks for the help)

Is the DNS on your test host working? What does dig ocsp.int-x3.letsencrypt.org look like?

Hm… it would appear not:

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ocsp.int-x3.letsencrypt.org
;; global options: +cmd
;; connection timed out; no servers could be reached

Seems like the root of the problem!

Are you able to diagnose this yourself from here out? I would probably try replacing the upstream DNS servers with a well known public resolver as a first step (assuming you aren’t using one already). If that still fails it would probably point to a network issue.

I got it. I’ll track it down from here. I don’t think its a Lets Encrypt issue. Thanks for the info @cpu.

1 Like

Happy to help! Good luck!

To wrap things up for anyone who ends up here: I rebooted my server and all my problems went away. This was the 4th-ish reboot since the problem started so I’m not really clear what happened. Perhaps it was an issue with the host’s DNS.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.