OCSP responder timed out (110: Connection timed out) while requesting certificate status

Help
1

Hello, I got this error in nginx log:

2022/03/22 03:21:17 [error] 1193544#1193544: OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 23.32.241.51:80, certificate: "/etc/letsencrypt/live/domain.cn-0002/fullchain.pem"

Here is my conf:

ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.53 valid=1000s ipv6=off;
resolver_timeout 5s;

$ ping r3.o.lencr.org
PING r3.o.lencr.org (23.32.241.51) 56(84) bytes of data.
64 bytes from r3.o.lencr.org (23.32.241.51): icmp_seq=1 ttl=48 time=56.3 ms
64 bytes from r3.o.lencr.org (23.32.241.51): icmp_seq=2 ttl=48 time=55.3 ms
64 bytes from r3.o.lencr.org (23.32.241.51): icmp_seq=3 ttl=48 time=66.2 ms
64 bytes from r3.o.lencr.org (23.32.241.51): icmp_seq=4 ttl=48 time=84.0 ms
64 bytes from r3.o.lencr.org (23.32.241.51): icmp_seq=5 ttl=48 time=81.5 ms
^C
--- r3.o.lencr.org ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 55.297/68.633/83.951/12.135 ms

$ curl -4 -I r3.o.lencr.org
HTTP/1.1 200 OK
Server: nginx
Content-Length: 0
Cache-Control: max-age=7230
Expires: Tue, 22 Mar 2022 06:20:48 GMT
Date: Tue, 22 Mar 2022 04:20:18 GMT
Connection: keep-alive

How to fix it?

2

can you give the certificate that caused this?

P.S while there are some report for it to be blocked by great firewall although it was old version of this Ocsp.int-x3.letsencrypt.org is not working in China - #33, can you try it over vpn?

2 Likes
3

I don't think it's a certificate problem.
Yeah, since the poor connectivity between the new OCSP URI and our China mainland server, I had changed /etc/hosts file and point r3.o.lencr.org to 23.32.241.51 (which has a much better connection than other IPs).

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.