Since Feb 19 the following is written to this nginx/1.22.1
error log:
[error] 1429815#1429815: OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: [2a02:26f0:ee00::217:5fa8]:80, certificate: "/etc/ssl/private/hopyard.pem"
[error] 1429815#1429815: OCSP responder timed out (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: [2a02:26f0:ee00::217:5fa1]:80, certificate: "/etc/ssl/private/hopyard.pem"
This message is repeated for both 2a02:26f0:ee00::217:5fa1
and 2a02:26f0:ee00::217:5fa8
every hour or so. letsencrypt.status.io says everything is fine. The Nginx configuration has not changed:
ssl_stapling on;
ssl_stapling_verify on;
I have NOT set a ssl_stapling_responder URL as the responder can be extracted from the certificate just fine:
$ openssl x509 -in /etc/ssl/private/hopyard.pem -noout -text | grep -A2 'Authority Information'
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
....or so I thought, because:
$ getent hosts r3.o.lencr.org
2a02:26f0:300::58dd:da32 a1887.dscq.akamai.net
2a02:26f0:300::58dd:da09 a1887.dscq.akamai.net
...these IP addresses look very different from the addresses reported above.
This topic turns up every now and then and I had this seen in my webserver logs before, and I think the last time the errors just vanished after a few days and I suspect the same will happen this time.
Does anybody know of current problems with the OCSP responder that are not shown on letsencrypt.status.io?
Also, does anybody know why the Nginx documentation recommends to set an explicit resolver
directive, thus overriding the (working) system's resolver? I know, this should be better asked in an Nginx discussion forum, but maybe someone know about this anyway.
Thanks for any ideas on this topic.